From fa6ce8cc002d9c3bee3c514b6add490fcd8ef27d Mon Sep 17 00:00:00 2001 From: timonrieger Date: Wed, 29 Apr 2026 22:53:27 +0200 Subject: [PATCH] fix(server): collapse OAuth callback messages to prevent email-existence oracle Two distinct error messages in the OAuth callback endpoint revealed whether an email address was already registered in the database. An attacker controlling the OAuth provider's email claim could probe the user table without authentication. Both cases now return the same generic message. --- e2e/src/specs/server/api/oauth.e2e-spec.ts | 2 +- server/src/services/auth.service.ts | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/e2e/src/specs/server/api/oauth.e2e-spec.ts b/e2e/src/specs/server/api/oauth.e2e-spec.ts index 157fdfc84c..8851356c9e 100644 --- a/e2e/src/specs/server/api/oauth.e2e-spec.ts +++ b/e2e/src/specs/server/api/oauth.e2e-spec.ts @@ -351,7 +351,7 @@ describe(`/oauth`, () => { const callbackParams = await loginWithOAuth('oauth-no-auto-register'); const { status, body } = await request(app).post('/oauth/callback').send(callbackParams); expect(status).toBe(400); - expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.')); + expect(body).toEqual(errorDto.badRequest('OAuth authentication failed')); }); it('should link to an existing user by email', async () => { diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts index 82c2b3fb48..bae085745a 100644 --- a/server/src/services/auth.service.ts +++ b/server/src/services/auth.service.ts @@ -322,7 +322,7 @@ export class AuthService extends BaseService { const emailUser = await this.userRepository.getByEmail(normalizedEmail); if (emailUser) { if (emailUser.oauthId) { - throw new BadRequestException('User already exists, but is linked to another account.'); + throw new BadRequestException('OAuth authentication failed'); } user = await this.userRepository.update(emailUser.id, { oauthId: profile.sub }); } @@ -334,7 +334,7 @@ export class AuthService extends BaseService { this.logger.warn( `Unable to register ${profile.sub}/${normalizedEmail || '(no email)'}. To enable set OAuth Auto Register to true in admin settings.`, ); - throw new BadRequestException(`User does not exist and auto registering is disabled.`); + throw new BadRequestException('OAuth authentication failed'); } if (!normalizedEmail) {