Skip to content

fix: prevent unauthorized IDP linking via session validation#45

Merged
JoseSzycho merged 2 commits intomainfrom
fix/server-side-idp-validation
Jan 13, 2026
Merged

fix: prevent unauthorized IDP linking via session validation#45
JoseSzycho merged 2 commits intomainfrom
fix/server-side-idp-validation

Conversation

@JoseSzycho
Copy link
Collaborator

@JoseSzycho JoseSzycho commented Jan 13, 2026

Description: This PR addresses a critical security vulnerability in the IDP linking flow by adding server-side session validation to prevent unauthorized account takeover.

Security Issue: Previously, a malicious user could potentially link their identity provider (e.g., Google, GitHub) to another user's account by manipulating the userId parameter during the OAuth callback flow. This would allow them to gain unauthorized access to the victim's account.

Fix: Added server-side validation in the IDP linking success handler that:

  • Retrieves the authenticated user's session from secure HTTP-only cookies
  • Verifies that the session user ID matches the target user ID for linking
  • Rejects the linking attempt with "Access Denied" if there's a mismatch or missing session

@JoseSzycho JoseSzycho merged commit 4b9f265 into main Jan 13, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scotwells scotwells scotwells approved these changes

@yahyafakhroji yahyafakhroji Awaiting requested review from yahyafakhroji

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JoseSzycho @scotwells