fix: prevent double totp submissions

chore: small ui fixes
fix(ui): allow pw manager extensions to autofill totp
2026-04-12 16:57:55 +00:00 · 2026-04-12 18:59:09 +03:00 · 2026-04-12 18:32:59 +03:00 · 2026-04-12 11:20:49 +12:00
3 changed files with 39 additions and 81 deletions
--- a/frontend/src/lib/hooks/oidc.ts
+++ b/frontend/src/lib/hooks/oidc.ts
@@ -11,33 +11,6 @@ export const oidcParamsSchema = z.object({
  code_challenge_method: z.string().optional(),
 });

-function b64urlDecode(s: string): string {
-  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
-  return atob(base64.padEnd(base64.length + ((4 - (base64.length % 4)) % 4), "="));
-}
-
-function decodeRequestObject(jwt: string): Record<string, string> {
-  try {
-    // Must have exactly 3 parts: header, payload, signature
-    const parts = jwt.split(".");
-    if (parts.length !== 3) return {};
-
-    // Header must specify "alg": "none" and signature must be empty string
-    const header = JSON.parse(b64urlDecode(parts[0]));
-    if (!header || typeof header !== "object" || header.alg !== "none" || parts[2] !== "") return {};
-
-    const payload = JSON.parse(b64urlDecode(parts[1]));
-    if (!payload || typeof payload !== "object" || Array.isArray(payload)) return {};
-    const result: Record<string, string> = {};
-    for (const [k, v] of Object.entries(payload)) {
-      if (typeof v === "string") result[k] = v;
-    }
-    return result;
-  } catch {
-    return {};
-  }
-}
-
 export const useOIDCParams = (
  params: URLSearchParams,
 ): {
@@ -47,15 +20,6 @@ export const useOIDCParams = (
  compiled: string;
 } => {
  const obj = Object.fromEntries(params.entries());
-
-  // RFC 9101 / OIDC Core 6.1: if `request` param present, decode JWT payload
-  // and merge claims over top-level params (JWT claims take precedence)
-  const requestJwt = params.get("request");
-  if (requestJwt) {
-    const claims = decodeRequestObject(requestJwt);
-    Object.assign(obj, claims);
-  }
-
  const parsed = oidcParamsSchema.safeParse(obj);

  if (parsed.success) {
--- a/internal/controller/well_known_controller.go
+++ b/internal/controller/well_known_controller.go
@@ -9,21 +9,19 @@ import (
 )

 type OpenIDConnectConfiguration struct {
-	Issuer                                 string   `json:"issuer"`
-	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
-	TokenEndpoint                          string   `json:"token_endpoint"`
-	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
-	JwksUri                                string   `json:"jwks_uri"`
-	ScopesSupported                        []string `json:"scopes_supported"`
-	ResponseTypesSupported                 []string `json:"response_types_supported"`
-	GrantTypesSupported                    []string `json:"grant_types_supported"`
-	SubjectTypesSupported                  []string `json:"subject_types_supported"`
-	IDTokenSigningAlgValuesSupported       []string `json:"id_token_signing_alg_values_supported"`
-	TokenEndpointAuthMethodsSupported      []string `json:"token_endpoint_auth_methods_supported"`
-	ClaimsSupported                        []string `json:"claims_supported"`
-	ServiceDocumentation                   string   `json:"service_documentation"`
-	RequestParameterSupported              bool     `json:"request_parameter_supported"`
-	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
+	Issuer                            string   `json:"issuer"`
+	AuthorizationEndpoint             string   `json:"authorization_endpoint"`
+	TokenEndpoint                     string   `json:"token_endpoint"`
+	UserinfoEndpoint                  string   `json:"userinfo_endpoint"`
+	JwksUri                           string   `json:"jwks_uri"`
+	ScopesSupported                   []string `json:"scopes_supported"`
+	ResponseTypesSupported            []string `json:"response_types_supported"`
+	GrantTypesSupported               []string `json:"grant_types_supported"`
+	SubjectTypesSupported             []string `json:"subject_types_supported"`
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"`
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
+	ClaimsSupported                   []string `json:"claims_supported"`
+	ServiceDocumentation              string   `json:"service_documentation"`
 }

 type WellKnownControllerConfig struct{}
@@ -50,21 +48,19 @@ func (controller *WellKnownController) SetupRoutes() {
 func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context) {
 	issuer := controller.oidc.GetIssuer()
 	c.JSON(200, OpenIDConnectConfiguration{
-		Issuer:                                 issuer,
-		AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", issuer),
-		TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", issuer),
-		UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", issuer),
-		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", issuer),
-		ScopesSupported:                        service.SupportedScopes,
-		ResponseTypesSupported:                 service.SupportedResponseTypes,
-		GrantTypesSupported:                    service.SupportedGrantTypes,
-		SubjectTypesSupported:                  []string{"pairwise"},
-		IDTokenSigningAlgValuesSupported:       []string{"RS256"},
-		TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-		ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-		RequestParameterSupported:              true,
-		RequestObjectSigningAlgValuesSupported: []string{"none"},
+		Issuer:                            issuer,
+		AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", issuer),
+		TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", issuer),
+		UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", issuer),
+		JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", issuer),
+		ScopesSupported:                   service.SupportedScopes,
+		ResponseTypesSupported:            service.SupportedResponseTypes,
+		GrantTypesSupported:               service.SupportedGrantTypes,
+		SubjectTypesSupported:             []string{"pairwise"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
+		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }

--- a/internal/controller/well_known_controller_test.go
+++ b/internal/controller/well_known_controller_test.go
@@ -56,21 +56,19 @@ func TestWellKnownController(t *testing.T) {
 				assert.NoError(t, err)

 				expected := controller.OpenIDConnectConfiguration{
-					Issuer:                                 oidcServiceCfg.Issuer,
-					AuthorizationEndpoint:                  fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
-					TokenEndpoint:                          fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
-					UserinfoEndpoint:                       fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
-					JwksUri:                                fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
-					ScopesSupported:                        service.SupportedScopes,
-					ResponseTypesSupported:                 service.SupportedResponseTypes,
-					GrantTypesSupported:                    service.SupportedGrantTypes,
-					SubjectTypesSupported:                  []string{"pairwise"},
-					IDTokenSigningAlgValuesSupported:       []string{"RS256"},
-					TokenEndpointAuthMethodsSupported:      []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                        []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
-					ServiceDocumentation:                   "https://tinyauth.app/docs/guides/oidc",
-					RequestParameterSupported:              true,
-					RequestObjectSigningAlgValuesSupported: []string{"none"},
+					Issuer:                            oidcServiceCfg.Issuer,
+					AuthorizationEndpoint:             fmt.Sprintf("%s/authorize", oidcServiceCfg.Issuer),
+					TokenEndpoint:                     fmt.Sprintf("%s/api/oidc/token", oidcServiceCfg.Issuer),
+					UserinfoEndpoint:                  fmt.Sprintf("%s/api/oidc/userinfo", oidcServiceCfg.Issuer),
+					JwksUri:                           fmt.Sprintf("%s/.well-known/jwks.json", oidcServiceCfg.Issuer),
+					ScopesSupported:                   service.SupportedScopes,
+					ResponseTypesSupported:            service.SupportedResponseTypes,
+					GrantTypesSupported:               service.SupportedGrantTypes,
+					SubjectTypesSupported:             []string{"pairwise"},
+					IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+					TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
+					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+					ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 				}

 				assert.Equal(t, expected, res)
Author	SHA1	Message	Date
Stavros	40bb8b4472	fix: prevent double totp submissions	2026-04-12 18:59:09 +03:00
Stavros	e7b44ee54e	chore: small ui fixes	2026-04-12 18:32:59 +03:00
Scott McKendry	ea21cbdcd4	fix(ui): allow pw manager extensions to autofill totp	2026-04-12 11:20:49 +12:00