Fix: Prevent infinite OIDC redirects

lovasoa · lovasoa · commit 70cc3751f5dc · 2025-12-01T00:06:09.000+01:00
This commit adds a mechanism to prevent infinite redirects in the OIDC
callback flow. It does this by:

- Tracking the number of redirects using a cookie.
- Setting a maximum number of redirects (3).
- Returning an error if the maximum is exceeded.
diff --git a/src/webserver/error.rs b/src/webserver/error.rs
@@ -52,7 +52,7 @@ fn error_to_html_string(app_state: &AppState, err: &anyhow::Error) -> anyhow::Re
     Ok(out.into_string()?)
 }
 
-fn anyhow_err_to_actix_resp(e: &anyhow::Error, state: &AppState) -> HttpResponse {
+pub(super) fn anyhow_err_to_actix_resp(e: &anyhow::Error, state: &AppState) -> HttpResponse {
     let mut resp = HttpResponseBuilder::new(StatusCode::INTERNAL_SERVER_ERROR);
     resp.insert_header((header::CONTENT_TYPE, header::ContentType::plaintext()));
 
diff --git a/src/webserver/oidc.rs b/src/webserver/oidc.rs
@@ -34,6 +34,7 @@ use openidconnect::{
 use serde::{Deserialize, Serialize};
 use tokio::sync::{RwLock, RwLockReadGuard};
 
+use super::error::anyhow_err_to_actix_resp;
 use super::http_client::make_http_client;
 
 type LocalBoxFuture<T> = Pin<Box<dyn Future<Output = T> + 'static>>;
@@ -44,6 +45,8 @@ const SQLPAGE_NONCE_COOKIE_NAME: &str = "sqlpage_oidc_nonce";
 const SQLPAGE_TMP_LOGIN_STATE_COOKIE_PREFIX: &str = "sqlpage_oidc_state_";
 const OIDC_CLIENT_MAX_REFRESH_INTERVAL: Duration = Duration::from_secs(60 * 60);
 const OIDC_CLIENT_MIN_REFRESH_INTERVAL: Duration = Duration::from_secs(5);
+const SQLPAGE_OIDC_REDIRECT_COUNT_COOKIE: &str = "sqlpage_oidc_redirect_count";
+const MAX_OIDC_REDIRECTS: u8 = 3;
 const AUTH_COOKIE_EXPIRATION: awc::cookie::time::Duration =
     actix_web::cookie::time::Duration::days(7);
 const LOGIN_FLOW_STATE_COOKIE_EXPIRATION: awc::cookie::time::Duration =
@@ -374,11 +377,24 @@ async fn handle_unauthenticated_request(
 
 async fn handle_oidc_callback(oidc_state: &OidcState, request: ServiceRequest) -> ServiceResponse {
     match process_oidc_callback(oidc_state, &request).await {
-        Ok(response) => request.into_response(response),
+        Ok(mut response) => {
+            clear_redirect_count_cookie(&mut response);
+            request.into_response(response)
+        }
         Err(e) => {
-            log::error!("Failed to process OIDC callback. Refreshing oidc provider metadata, then redirecting to home page: {e:#}");
+            let redirect_count = get_redirect_count(&request);
+            if redirect_count >= MAX_OIDC_REDIRECTS {
+                log::error!(
+                    "Failed to process OIDC callback after {redirect_count} attempts. \
+                     Stopping to avoid infinite redirections: {e:#}"
+                );
+                let resp = build_oidc_error_response(&request, &e);
+                return request.into_response(resp);
+            }
+            log::error!("Failed to process OIDC callback (attempt {redirect_count}). Refreshing oidc provider metadata, then redirecting to home page: {e:#}");
             oidc_state.refresh_on_error(&request).await;
-            let resp = build_auth_provider_redirect_response(oidc_state, "/").await;
+            let mut resp = build_auth_provider_redirect_response(oidc_state, "/").await;
+            set_redirect_count_cookie(&mut resp, redirect_count + 1);
             request.into_response(resp)
         }
     }
@@ -500,6 +516,38 @@ fn build_redirect_response(target_url: String) -> HttpResponse {
         .body("Redirecting...")
 }
 
+fn get_redirect_count(request: &ServiceRequest) -> u8 {
+    request
+        .cookie(SQLPAGE_OIDC_REDIRECT_COUNT_COOKIE)
+        .and_then(|c| c.value().parse().ok())
+        .unwrap_or(0)
+}
+
+fn set_redirect_count_cookie(response: &mut HttpResponse, count: u8) {
+    let cookie = Cookie::build(SQLPAGE_OIDC_REDIRECT_COUNT_COOKIE, count.to_string())
+        .path("/")
+        .http_only(true)
+        .same_site(actix_web::cookie::SameSite::Lax)
+        .max_age(LOGIN_FLOW_STATE_COOKIE_EXPIRATION)
+        .finish();
+    response.add_cookie(&cookie).ok();
+}
+
+fn clear_redirect_count_cookie(response: &mut HttpResponse) {
+    let cookie = Cookie::build(SQLPAGE_OIDC_REDIRECT_COUNT_COOKIE, "")
+        .path("/")
+        .finish()
+        .into_owned();
+    response.add_removal_cookie(&cookie).ok();
+}
+
+fn build_oidc_error_response(request: &ServiceRequest, e: &anyhow::Error) -> HttpResponse {
+    request.app_data::<web::Data<AppState>>().map_or_else(
+        || HttpResponse::InternalServerError().body(format!("Authentication error: {e}")),
+        |state| anyhow_err_to_actix_resp(e, state),
+    )
+}
+
 /// Returns the claims from the ID token in the `SQLPage` auth cookie.
 async fn get_authenticated_user_info(
     oidc_state: &OidcState,

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ fn error_to_html_string(app_state: &AppState, err: &anyhow::Error) -> anyhow::Re`
`52`	`52`	`Ok(out.into_string()?)`
`53`	`53`	`}`
`54`	`54`
`55`		`-fn anyhow_err_to_actix_resp(e: &anyhow::Error, state: &AppState) -> HttpResponse {`
	`55`	`+pub(super) fn anyhow_err_to_actix_resp(e: &anyhow::Error, state: &AppState) -> HttpResponse {`
`56`	`56`	`let mut resp = HttpResponseBuilder::new(StatusCode::INTERNAL_SERVER_ERROR);`
`57`	`57`	`resp.insert_header((header::CONTENT_TYPE, header::ContentType::plaintext()));`
`58`	`58`