feat: enforce maximum password length of 64 characters in user registration and password update
Build & Push Docker Image / build (push) Successful in 4m19s
Build & Push Docker Image / build (push) Successful in 4m19s
This commit is contained in:
@@ -200,7 +200,13 @@ router.get('/callback', callbackLimiter, async (req, res) => {
|
||||
);
|
||||
|
||||
if (user) {
|
||||
// Link OAuth to existing account
|
||||
// Only auto-link to an existing local account if the IdP has actually
|
||||
// verified the email. Otherwise an attacker who registers at the IdP
|
||||
// with someone else's email could take over the local account.
|
||||
if (userInfo.email_verified !== true) {
|
||||
log.auth.warn(`OAuth account-linking blocked: provider did not assert email_verified=true for ${email}`);
|
||||
return errorRedirect('Your OAuth provider has not verified this email address. Please verify it with the provider before logging in here.');
|
||||
}
|
||||
await db.run(
|
||||
'UPDATE users SET oauth_provider = ?, oauth_provider_id = ?, email_verified = 1, updated_at = CURRENT_TIMESTAMP WHERE id = ?',
|
||||
['oidc', sub, user.id],
|
||||
|
||||
Reference in New Issue
Block a user