[PR #985] [MERGED] fix(oidc): strip trailing slash from issuer URL before building discovery URL #1146

New issue

Closed

opened 2026-05-07 00:16:17 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-07 00:16:17 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/maziggy/bambuddy/pull/985
Author: @netscout2001
Created: 4/15/2026
Status: ✅ Merged
Merged: 4/15/2026
Merged by: @maziggy

Base: dev ← Head: feature/2fa-oidc-authentication

📝 Commits (3)

058a7bb fix(oidc): strip trailing slash from issuer_url before building discovery URL
ba088bb test(oidc): add regression test for trailing slash in issuer URL
4df6905 Merge branch 'dev' into feature/2fa-oidc-authentication

📊 Changes

2 files changed (+67 additions, -2 deletions)

View changed files

📝 backend/app/api/routes/mfa.py (+2 -2)
📝 backend/tests/integration/test_mfa_api.py (+65 -0)

📄 Description

Authentik and similar OIDC providers return issuer URLs with a trailing slash
(e.g. <https://authentik.example.com/application/o/bambuddy/>). BamBuddy
appended /.well-known/openid-configuration directly, producing a double
slash and a failed discovery fetch ("Failed to fetch OIDC discovery document").

Fix: issuer_url.rstrip('/') in both discovery URL construction sites in
oidc_authorize and oidc_callback. No effect when the URL has no trailing
slash.

Includes a regression test that verifies the correct discovery URL is
requested when the configured issuer URL has a trailing slash.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/maziggy/bambuddy/pull/985 **Author:** [@netscout2001](https://github.com/netscout2001) **Created:** 4/15/2026 **Status:** ✅ Merged **Merged:** 4/15/2026 **Merged by:** [@maziggy](https://github.com/maziggy) **Base:** `dev` ← **Head:** `feature/2fa-oidc-authentication` --- ### 📝 Commits (3) - [`058a7bb`](https://github.com/maziggy/bambuddy/commit/058a7bbc98b2e3a609538b7e91dc9ff9c6b5e8b0) fix(oidc): strip trailing slash from issuer_url before building discovery URL - [`ba088bb`](https://github.com/maziggy/bambuddy/commit/ba088bbd9916652693b2d6a25347b0d1a87f53a4) test(oidc): add regression test for trailing slash in issuer URL - [`4df6905`](https://github.com/maziggy/bambuddy/commit/4df69058fc30c391ab8d8690c4bc90a3ba5ea605) Merge branch 'dev' into feature/2fa-oidc-authentication ### 📊 Changes **2 files changed** (+67 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `backend/app/api/routes/mfa.py` (+2 -2) 📝 `backend/tests/integration/test_mfa_api.py` (+65 -0) </details> ### 📄 Description Authentik and similar OIDC providers return issuer URLs with a trailing slash (e.g. `<https://authentik.example.com/application/o/bambuddy/`>). BamBuddy appended `/.well-known/openid-configuration` directly, producing a double slash and a failed discovery fetch ("Failed to fetch OIDC discovery document"). Fix: `issuer_url.rstrip('/')` in both discovery URL construction sites in `oidc_authorize` and `oidc_callback`. No effect when the URL has no trailing slash. Includes a regression test that verifies the correct discovery URL is requested when the configured issuer URL has a trailing slash. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>