don't expose error messages from pre-actions and post connect hooks

always return a generic error instead to avoid leaking internal info Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 14:50:55 +03:00 · 2023-02-28 18:01:09 +01:00
parent dba088daed
commit fad6af11e5
9 changed files with 32 additions and 27 deletions
--- a/internal/httpd/oidc.go
+++ b/internal/httpd/oidc.go
@@ -431,7 +431,7 @@ func (t *oidcToken) getUser(r *http.Request) error {
 	}
 	if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil {
 		updateLoginMetrics(&user, dataprovider.LoginMethodIDP, ipAddr, err)
-		return fmt.Errorf("access denied by post connect hook: %w", err)
+		return fmt.Errorf("access denied: %w", err)
 	}
 	if err := user.CheckLoginConditions(); err != nil {
 		updateLoginMetrics(&user, dataprovider.LoginMethodIDP, ipAddr, err)