[PR #1024] [MERGED] fix(oidc): raise OIDC callback code/state max_length from 512 to 2048 #1147

New issue

Closed

opened 2026-05-06 12:35:19 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:35:19 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/maziggy/bambuddy/pull/1024
Author: @netscout2001
Created: 4/18/2026
Status: ✅ Merged
Merged: 4/19/2026
Merged by: @maziggy

Base: dev ← Head: feature/2fa-oidc-authentication

📝 Commits (2)

9a2c91d fix(oidc): raise callback code/state max_length from 512 to 2048
cca9cac Merge branch 'dev' into feature/2fa-oidc-authentication

📊 Changes

2 files changed (+41 additions, -8 deletions)

View changed files

📝 backend/app/api/routes/mfa.py (+2 -2)
📝 backend/tests/integration/test_mfa_api.py (+39 -6)

📄 Description

Problem
Facebook and some other OAuth providers issue authorization codes that exceed 512 characters. The Pydantic validation on the OIDC callback endpoint (GET /api/v1/auth/oidc/callback) rejected these with a 422 string_too_long error, making login impossible for affected providers.

Fix
Raised max_length for the code and state query parameters from 512 to 2048. The OAuth 2.0 spec (RFC 6749) does not define a maximum authorization code length; 2048 characters aligns with limits used by major providers.

Tests
Three new integration tests in TestOIDCCallbackCodeLength:

512-char code is accepted (regression guard for old limit)
2048-char code is accepted (new limit)
2049-char code is rejected with 422 (upper bound enforced)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/maziggy/bambuddy/pull/1024 **Author:** [@netscout2001](https://github.com/netscout2001) **Created:** 4/18/2026 **Status:** ✅ Merged **Merged:** 4/19/2026 **Merged by:** [@maziggy](https://github.com/maziggy) **Base:** `dev` ← **Head:** `feature/2fa-oidc-authentication` --- ### 📝 Commits (2) - [`9a2c91d`](https://github.com/maziggy/bambuddy/commit/9a2c91d4a506dce575f1c3d9330505e387831cf4) fix(oidc): raise callback code/state max_length from 512 to 2048 - [`cca9cac`](https://github.com/maziggy/bambuddy/commit/cca9cacf57c6fb6f858d056e9f8fd3e9587bd905) Merge branch 'dev' into feature/2fa-oidc-authentication ### 📊 Changes **2 files changed** (+41 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `backend/app/api/routes/mfa.py` (+2 -2) 📝 `backend/tests/integration/test_mfa_api.py` (+39 -6) </details> ### 📄 Description Problem Facebook and some other OAuth providers issue authorization codes that exceed 512 characters. The Pydantic validation on the OIDC callback endpoint (GET /api/v1/auth/oidc/callback) rejected these with a 422 string_too_long error, making login impossible for affected providers. Fix Raised max_length for the code and state query parameters from 512 to 2048. The OAuth 2.0 spec (RFC 6749) does not define a maximum authorization code length; 2048 characters aligns with limits used by major providers. Tests Three new integration tests in TestOIDCCallbackCodeLength: 512-char code is accepted (regression guard for old limit) 2048-char code is accepted (new limit) 2049-char code is rejected with 422 (upper bound enforced) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>