feat(auth): enforce OpenID Connect issuer uniqueness across providers

Detect when two configured OIDC providers resolve to the same issuer URL at startup and halt with a fatal error, preventing team sync data corruption caused by ambiguous (external_id, issuer) matching. Also adds duplicate issuer detection to the doctor service diagnostics and comprehensive tests with mock OIDC discovery servers.
2026-05-01 01:16:40 +00:00 · 2026-03-24 15:22:56 +00:00
parent 59abe1bd84
commit fc9c21915d
4 changed files with 214 additions and 7 deletions
--- a/pkg/modules/auth/openid/providers_test.go
+++ b/pkg/modules/auth/openid/providers_test.go
@@ -17,10 +17,16 @@
 package openid

 import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	"code.vikunja.io/api/pkg/config"
 	"code.vikunja.io/api/pkg/modules/keyvalue"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestGetAllProvidersTypeSafety(t *testing.T) {
@@ -84,3 +90,119 @@ func TestGetAllProvidersTypeSafety(t *testing.T) {
 		}
 	})
 }
+
+// newMockOIDCServer creates a test HTTP server that serves a valid OIDC discovery document.
+// The issuer in the discovery document matches the server's URL.
+func newMockOIDCServer() *httptest.Server {
+	var server *httptest.Server
+	mux := http.NewServeMux()
+	mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
+		discovery := map[string]interface{}{
+			"issuer":                 server.URL,
+			"authorization_endpoint": server.URL + "/auth",
+			"token_endpoint":         server.URL + "/token",
+			"jwks_uri":               server.URL + "/jwks",
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(discovery)
+	})
+	server = httptest.NewServer(mux)
+	return server
+}
+
+func TestDuplicateIssuersDetected(t *testing.T) {
+	defer CleanupSavedOpenIDProviders()
+
+	// Create a single mock server — both providers will use the same issuer
+	server := newMockOIDCServer()
+	defer server.Close()
+
+	config.AuthOpenIDEnabled.Set(true)
+	config.AuthOpenIDProviders.Set(map[string]interface{}{
+		"provider1": map[string]interface{}{
+			"name":         "Provider One",
+			"authurl":      server.URL,
+			"clientid":     "client1",
+			"clientsecret": "secret1",
+		},
+		"provider2": map[string]interface{}{
+			"name":         "Provider Two",
+			"authurl":      server.URL,
+			"clientid":     "client2",
+			"clientsecret": "secret2",
+		},
+	})
+	_ = keyvalue.Del("openid_providers")
+
+	providers, err := GetAllProviders()
+	require.Error(t, err)
+	assert.Nil(t, providers)
+	assert.True(t, IsErrDuplicateOIDCIssuer(err))
+
+	var dupErr *ErrDuplicateOIDCIssuer
+	require.ErrorAs(t, err, &dupErr)
+	assert.Equal(t, server.URL, dupErr.Issuer)
+}
+
+func TestUniqueIssuersAllowed(t *testing.T) {
+	defer CleanupSavedOpenIDProviders()
+
+	// Create two separate mock servers — different issuers
+	server1 := newMockOIDCServer()
+	defer server1.Close()
+	server2 := newMockOIDCServer()
+	defer server2.Close()
+
+	config.AuthOpenIDEnabled.Set(true)
+	config.AuthOpenIDProviders.Set(map[string]interface{}{
+		"provider1": map[string]interface{}{
+			"name":         "Provider One",
+			"authurl":      server1.URL,
+			"clientid":     "client1",
+			"clientsecret": "secret1",
+		},
+		"provider2": map[string]interface{}{
+			"name":         "Provider Two",
+			"authurl":      server2.URL,
+			"clientid":     "client2",
+			"clientsecret": "secret2",
+		},
+	})
+	_ = keyvalue.Del("openid_providers")
+
+	providers, err := GetAllProviders()
+	require.NoError(t, err)
+	assert.Len(t, providers, 2)
+}
+
+func TestFailedDiscoverySkippedInIssuerCheck(t *testing.T) {
+	defer CleanupSavedOpenIDProviders()
+
+	// One valid server, one unreachable
+	server := newMockOIDCServer()
+	defer server.Close()
+
+	config.AuthOpenIDEnabled.Set(true)
+	config.AuthOpenIDProviders.Set(map[string]interface{}{
+		"valid": map[string]interface{}{
+			"name":         "Valid Provider",
+			"authurl":      server.URL,
+			"clientid":     "client1",
+			"clientsecret": "secret1",
+		},
+		"broken": map[string]interface{}{
+			"name":         "Broken Provider",
+			"authurl":      "http://127.0.0.1:1",
+			"clientid":     "client2",
+			"clientsecret": "secret2",
+		},
+	})
+	_ = keyvalue.Del("openid_providers")
+
+	// The broken provider will fail discovery and be skipped.
+	// The valid provider should load successfully.
+	providers, err := GetAllProviders()
+	require.NoError(t, err)
+	assert.Len(t, providers, 1)
+	assert.Equal(t, "Valid Provider", providers[0].Name)
+}