Skip to content

Commit c670d3b

Browse files
fix: handle missing OIDC auth request gracefully
The GET /login route called getAuthRequest() without error handling. When a request arrived with an expired or invalid authRequest ID, the Zitadel OIDC service returned a NOT_FOUND gRPC error that propagated as an unhandled ConnectError, crashing the route handler with a 500. Wrap the call in try/catch and add a null guard, returning a 400 JSON response instead. This matches the existing pattern used by the SAML branch which already checks for a missing samlRequest. Made-with: Cursor
1 parent a67b4fc commit c670d3b

1 file changed

Lines changed: 20 additions & 4 deletions

File tree

apps/login/src/app/login/route.ts

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -134,10 +134,26 @@ export async function GET(request: NextRequest) {
134134

135135
// continue with OIDC
136136
if (requestId && requestId.startsWith("oidc_")) {
137-
const { authRequest } = await getAuthRequest({
138-
serviceUrl,
139-
authRequestId: requestId.replace("oidc_", ""),
140-
});
137+
let authRequest;
138+
try {
139+
({ authRequest } = await getAuthRequest({
140+
serviceUrl,
141+
authRequestId: requestId.replace("oidc_", ""),
142+
}));
143+
} catch (error) {
144+
console.error("Failed to get auth request:", error);
145+
return NextResponse.json(
146+
{ error: "Auth request not found or expired" },
147+
{ status: 400 },
148+
);
149+
}
150+
151+
if (!authRequest) {
152+
return NextResponse.json(
153+
{ error: "Auth request not found" },
154+
{ status: 400 },
155+
);
156+
}
141157

142158
let organization = "";
143159
let suffix = "";

0 commit comments

Comments
 (0)