fix: prevent double totp submissions

frontend/src/lib/hooks/oidc.ts

@@ -11,33 +11,6 @@ export const oidcParamsSchema = z.object({
   code_challenge_method: z.string().optional(),
 });
 
-function b64urlDecode(s: string): string {
-  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
-  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
-}
-
-function decodeRequestObject(jwt: string): Record<string, string> {
-  try {
-    // Must have exactly 3 parts: header, payload, signature
-    const parts = jwt.split(".");
-    if (parts.length !== 3) return {};
-
-    // Header must specify "alg": "none" and signature must be empty string
-    const header = JSON.parse(b64urlDecode(parts[0]));
-    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
-
-    const payload = JSON.parse(b64urlDecode(parts[1]));
-    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
-    const result: Record<string, string> = {};
-    for (const [k, v] of Object.entries(payload)) {
-      if (typeof v === "string") result[k] = v;
-    }
-    return result;
-  } catch {
-    return {};
-  }
-}
-
 export const useOIDCParams = (
   params: URLSearchParams,
 ): {
@@ -47,15 +20,6 @@ export const useOIDCParams = (
   compiled: string;
 } => {
   const obj = Object.fromEntries(params.entries());
-
-  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
-  // and merge claims over top-level params (JWT claims take precedence)
-  const requestJwt = params.get("request");
-  if (requestJwt) {
-    const claims = decodeRequestObject(requestJwt);
-    Object.assign(obj, claims);
-  }
-
   const parsed = oidcParamsSchema.safeParse(obj);
 
   if (parsed.success) {

internal/controller/well_known_controller.go

@@ -22,8 +22,6 @@ type OpenIDConnectConfiguration struct {
 	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
 	ClaimsSupported                   []string `json:"claims_supported"`
 	ServiceDocumentation              string   `json:"service_documentation"`
-	RequestParameterSupported              bool     `json:"request_parameter_supported"`
-	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
 }
 
 type WellKnownControllerConfig struct{}
@@ -63,8 +61,6 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
 		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
-		RequestParameterSupported:              true,
-		RequestObjectSigningAlgValuesSupported: []string{"none"},
 	})
 }
 

internal/controller/well_known_controller_test.go

@@ -69,8 +69,6 @@ func TestWellKnownController(t *testing.T) {
 					TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
 					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
 					ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
-					RequestParameterSupported:              true,
-					RequestObjectSigningAlgValuesSupported: []string{"none"},
 				}
 
 				assert.Equal(t, expected, res)