Problem
GET /api/auth/:strategy (modules/auth/routes/auth.routes.js) is a greedy catch-all. oauthCall (modules/auth/controllers/auth.controller.js) calls passport.authenticate(req.params.strategy) with no validation, no callback, no { session: false }. Any unmatched path segment becomes a passport strategy name:
- unknown strategy (e.g.
/api/auth/me, /api/auth/callback) β passport throws synchronously Unknown authentication strategy β 500
- a provider in
ALLOWED_PROVIDERS but not enabled/registered β same 500
- an enabled OAuth provider β
passport.authenticate('google') defaults to session: true β Login sessions require session support. Did you forget to use express-session middleware? (the stack is stateless JWT, no express-session)
oauthCallback has the same unguarded req.params.strategy β the synchronous throw fires before its error callback. ALLOWED_PROVIDERS already exists in the controller but is used only in the profile resolver, not the route handlers.
Fix
- Guard
oauthCall + oauthCallback: reject when strategy is not in ALLOWED_PROVIDERS OR the provider is not enabled in config β return 404 (not 500).
- Pass
{ session: false } to passport.authenticate (stateless JWT).
- Add tests for
oauthCall (none today): unknown β 404, disabled β 404, enabled+allowed β delegates.
Why
Probe traffic to /api/auth/* produces 500s + error-tracking noise; enabling an OAuth provider would break on the session error. Hardening turns these into clean 404s and makes OAuth enable-able.
Created via /dev:issue
Problem
GET /api/auth/:strategy(modules/auth/routes/auth.routes.js) is a greedy catch-all.oauthCall(modules/auth/controllers/auth.controller.js) callspassport.authenticate(req.params.strategy)with no validation, no callback, no{ session: false }. Any unmatched path segment becomes a passport strategy name:/api/auth/me,/api/auth/callback) β passport throws synchronouslyUnknown authentication strategyβ 500ALLOWED_PROVIDERSbut not enabled/registered β same 500passport.authenticate('google')defaults tosession: trueβLogin sessions require session support. Did you forget to use express-session middleware?(the stack is stateless JWT, no express-session)oauthCallbackhas the same unguardedreq.params.strategyβ the synchronous throw fires before its error callback.ALLOWED_PROVIDERSalready exists in the controller but is used only in the profile resolver, not the route handlers.Fix
oauthCall+oauthCallback: reject when strategy is not inALLOWED_PROVIDERSOR the provider is not enabled in config β return 404 (not 500).{ session: false }topassport.authenticate(stateless JWT).oauthCall(none today): unknown β 404, disabled β 404, enabled+allowed β delegates.Why
Probe traffic to
/api/auth/*produces 500s + error-tracking noise; enabling an OAuth provider would break on the session error. Hardening turns these into clean 404s and makes OAuth enable-able.Created via /dev:issue