Ignore blank entries in the prompt parameter#296
Merged
Conversation
A `prompt` value with leading or duplicate spaces (e.g. `prompt=%20none`) split into an empty-string element, which fell through to the unknown-prompt branch and was rejected with `invalid_request`. Reject blank entries so such values are handled as their non-empty prompts instead.
There was a problem hiding this comment.
Pull request overview
This pull request fixes OpenID Connect prompt parameter parsing so that leading (and other stray) spaces don’t introduce an empty-string prompt value that is incorrectly treated as an unknown prompt and rejected with invalid_request.
Changes:
- Filter out blank entries from the space-delimited
promptparameter before applying prompt handling logic. - Add a controller spec asserting that
prompt: " none"behaves likeprompt: "none"(auto-issues when a matching token exists). - Document the fix in the Unreleased changelog.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
lib/doorkeeper/openid_connect/helpers/controller.rb |
Updates oidc_prompt_values to reject blank prompt entries after splitting. |
spec/controllers/doorkeeper/authorizations_controller_spec.rb |
Adds coverage for leading whitespace in prompt when using prompt=none. |
CHANGELOG.md |
Notes the behavioral fix under Unreleased. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
55728
force-pushed
the
fix/prompt-leading-whitespace
branch
from
e61b513 to
eec0622
Compare
55728
force-pushed
the
fix/prompt-leading-whitespace
branch
from
eec0622 to
96b0f54
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
oidc_prompt_valuessplits the space-delimitedpromptparameter withsplit(/ +/). A value with leading (or otherwise stray) whitespace, e.g.prompt=%20none, produces an empty-string element:The empty string then falls through
handle_oidc_prompt_param!'scaseto theelsebranch (and tripshandle_oidc_prompt_none!'s "another value present" guard), so the request is rejected withinvalid_requestinstead of being treated asprompt=none.Fix
Reject blank entries after splitting:
Only the empty-string case changes; valid prompts are unaffected.
Diff
A spec was added asserting
prompt: " none"(leading whitespace) auto-issues likeprompt: "none".Verification
bundle exec rspec spec/controllers/doorkeeper/authorizations_controller_spec.rb→ 73 examples, 0 failuresbundle exec rubocop <changed files>→ no offenses