vulncheck/vulncheck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): move forced-mfa-setup page out of /auth/ to escape proxy catch-all

Browse Source 
The /auth/[...path]/route.ts catch-all in the Next.js frontend
proxies *every* /auth/* request to the backend, including the
forced-mfa-setup page route. Backend has no GET endpoint for that
path → 404 → page never serves → user sees blank or bounces back
to /login.

Move the page to /mfa-setup (outside /auth/) and update redirects:
- login page.tsx redirect
- OIDC + SAML callback redirects
This commit is contained in:
vulncheck
2026-05-25 11:01:24 +02:00
parent 36b9b27b97
commit bb6b47deef
9 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.claude/launch.json
+11
View File
@@ -0,0 +1,11 @@
{
"version": "0.0.1",
"configurations": [
{
"name": "logo-preview",
"runtimeExecutable": "python3",
"runtimeArgs": ["-m", "http.server", "8765", "--directory", "/tmp/logo-preview"],
"port": 8765
}
]
}
.claude/worktrees/distracted-khorana-af6f01
Submodule
+1
Submodule .claude/worktrees/distracted-khorana-af6f01 added at d903ca41cb
.claude/worktrees/objective-zhukovsky-3263ec
Submodule
+1
Submodule .claude/worktrees/objective-zhukovsky-3263ec added at 571c5de3cc
.claude/worktrees/youthful-hofstadter
Submodule
+1
Submodule .claude/worktrees/youthful-hofstadter added at 8ffe43e0d2
.claude/worktrees/zen-hermann-222ff3
Submodule
+1
Submodule .claude/worktrees/zen-hermann-222ff3 added at 571c5de3cc
app/routers/auth_oidc.py
+1 -1
View File
@@ -315,7 +315,7 @@ async def oidc_callback(
)
base = os.getenv("DASHBOARD_URL", "/").rstrip("/")
return RedirectResponse(
f"{base}/auth/forced-mfa-setup?token={setup_token}",
f"{base}/mfa-setup?token={setup_token}",
status_code=302,
)
app/routers/auth_saml.py
+1 -1
View File
@@ -202,7 +202,7 @@ async def saml_acs(request: Request, db: Session = Depends(get_db)):
import os as _os
base = _os.getenv("DASHBOARD_URL", "/").rstrip("/")
return RedirectResponse(
f"{base}/auth/forced-mfa-setup?token={setup_token}",
f"{base}/mfa-setup?token={setup_token}",
status_code=302,
)
frontend/app/login/page.tsx
+1 -1
View File
@@ -45,7 +45,7 @@ export default function LoginPage() {
// dedicated /auth/forced-mfa-setup page carrying the setup
// token. User cannot get a session before completing it.
if (response.data?.mfa_setup_required && response.data?.setup_token) {
window.location.href = `/auth/forced-mfa-setup?token=${encodeURIComponent(response.data.setup_token)}`;
window.location.href = `/mfa-setup?token=${encodeURIComponent(response.data.setup_token)}`;
return;
}
frontend/app/auth/forced-mfa-setup/page.tsx → frontend/app/mfa-setup/page.tsx
View File