security: prevent exception message disclosure in OAuth error handling

[kolega-ai-dev]

Vulnerability identified and fix provided by Kolega.dev

This potential vulnerability was originally reported through Github Security Advisories on January 6th 2026, as detailed in the SECURITY.md. However, as there has been no acknowledgement or update on this, we are creating this PR in the interest of the community to assist in ensuring this project remains secure.

The finding and PR was generated using Kolega.dev's AI Agent and manually checked and verified by @FaizanKolega before PR creation.

Exception Message Disclosure in OAuth Error Handling

Location

api/controllers/console/auth/oauth.py:136

Description

Exception descriptions from the service layer are directly exposed to users in OAuth callback redirects. Service layer exceptions may contain sensitive information like database errors, API details, or configuration info.

Analysis Notes

The code passes e.description directly to the client via URL redirect. While most AccountRegisterError descriptions are hardcoded safe strings ('Invalid email or password', '30 days unavailable'), there is a dangerous case at services/account_service.py:1350 where raise AccountRegisterError(f"Registration failed: {e}") wraps arbitrary exceptions. If the underlying exception contains database errors, connection details, or stack trace information, this will be exposed to the user in the URL. This is a real vulnerability because: (1) The description can contain raw exception messages from unexpected errors. (2) URL parameters are logged in browser history, server logs, and may be visible to intermediaries. (3) The fix is simple: map AccountRegisterError to a generic message or use an error code lookup.

Fix Applied

Replaced the dynamic e.description passthrough in the OAuth callback redirect with a static generic error message ("Account registration failed."), matching the pattern used by other auth controllers (login.py, email_register.py) that catch AccountRegisterError without exposing its description. Also removed the f-string interpolation of arbitrary exception messages in RegisterService.register() to prevent sensitive error details from being embedded in AccountRegisterError descriptions at the source.

Tests/Linters Ran

• ruff check on both changed files: All checks passed
• ruff format --check on both changed files: Already formatted
• pytest tests/unit_tests/controllers/console/auth/test_oauth.py --no-cov: 26 passed
• pytest tests/unit_tests/services/test_account_service.py --no-cov: 52 passed
• pytest tests/unit_tests/controllers/console/auth/ --no-cov: 103 passed (all auth controller tests)

[gemini-code-assist]

Summary of Changes

Hello @kolega-ai-dev, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a crucial security fix to prevent the disclosure of sensitive exception messages to end-users during OAuth authentication flows. By replacing dynamic error descriptions with generic messages and sanitizing the creation of AccountRegisterError instances, the changes ensure that internal system details are not inadvertently exposed, enhancing the overall security posture of the application.

Highlights

• Exception Message Disclosure Prevention: Addressed a security vulnerability where detailed exception messages could be exposed to users through OAuth callback redirects, potentially leaking sensitive system information.
• Generic Error Messages: Modified the OAuth callback handling to display a generic "Account registration failed." message instead of dynamic exception descriptions.
• Sanitized Exception Creation: Updated the RegisterService.register() method to raise a generic AccountRegisterError message, preventing sensitive details from underlying exceptions from being embedded.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• api/controllers/console/auth/oauth.py
  • Updated the get method's AccountRegisterError exception handler to redirect with a static message "Account registration failed." instead of e.description.
• api/services/account_service.py
  • Modified the register method to raise AccountRegisterError("Registration failed.") instead of including the original exception's details via an f-string.

Activity

• The vulnerability was identified and the fix provided by Kolega.dev.
• The issue was initially reported via GitHub Security Advisories on January 6th, 2026, but no acknowledgement or update was received, leading to this PR.
• The finding and PR were generated using Kolega.dev's AI Agent and manually verified by @FaizanKolega.
• Comprehensive tests were run, including ruff check, ruff format --check, and pytest for test_oauth.py, test_account_service.py, and all auth controller tests, all passing successfully.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩