akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
edd4e6879fd7b4ec0c883f30cb56a1df725c681e
caddy-proxy-manager/app/(auth)/link-account/LinkAccountClient.tsx
fuomag9 75044c8d9b fix: harden security post-review (JWT exposure, rate limiter, token expiry, timing) 
- Raw JWT never sent to browser: page.tsx uses peekLinkingToken (read-only),
  client sends opaque linkingId, API calls retrieveLinkingToken server-side
- link-account rate limiter now uses isRateLimited/registerFailedAttempt/
  resetAttempts correctly (count only failures, reset on success)
- linking_tokens gains expiresAt column (indexed) + opportunistic expiry
  purge on insert to prevent unbounded table growth
- secureTokenCompare fixed: pad+slice to expected length so timing is
  constant regardless of submitted token length (no length leak)
- autoLinkOAuth uses config.oauth.allowAutoLinking (boolean) instead of
  process.env truthy check that mishandles OAUTH_ALLOW_AUTO_LINKING=false
- Add Permissions-Policy header; restore X-Frame-Options for legacy UAs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 20:58:21 +01:00

142 lines
3.7 KiB
TypeScript
Raw Blame History

"use client";
import { useState, FormEvent } from "react";
import { useRouter } from "next/navigation";
import {
Alert,
Box,
Button,
Card,
CardContent,
Stack,
TextField,
Typography
} from "@mui/material";
import { signIn } from "next-auth/react";
interface LinkAccountClientProps {
provider: string;
email: string;
linkingId: string;
}
export default function LinkAccountClient({
provider,
email,
linkingId
}: LinkAccountClientProps) {
const router = useRouter();
const [password, setPassword] = useState("");
const [error, setError] = useState<string | null>(null);
const [loading, setLoading] = useState(false);
const handleLinkAccount = async (event: FormEvent) => {
event.preventDefault();
setError(null);
setLoading(true);
try {
// Call API to verify password and link account
const response = await fetch("/api/auth/link-account", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
linkingId,
password
})
});
const data = await response.json();
if (!response.ok) {
setError(data.error || "Failed to link account");
setLoading(false);
return;
}
// Successfully linked - sign in with OAuth
// The provider should now recognize the linked account
await signIn(provider, {
callbackUrl: "/"
});
} catch (err) {
setError("An error occurred while linking your account");
setLoading(false);
}
};
const handleUsePassword = () => {
router.push("/login");
};
const providerName = provider.charAt(0).toUpperCase() + provider.slice(1);
return (
<Box
sx={{
minHeight: "100vh",
display: "flex",
alignItems: "center",
justifyContent: "center",
bgcolor: "background.default"
}}
>
<Card sx={{ maxWidth: 500, width: "100%", p: 1.5 }} elevation={6}>
<CardContent>
<Stack spacing={3}>
<Stack spacing={1} textAlign="center">
<Typography variant="h5" fontWeight={600}>
Link Your Account
</Typography>
<Typography color="text.secondary">
An account with <strong>{email}</strong> already exists
</Typography>
</Stack>
<Alert severity="info">
Would you like to link your <strong>{providerName}</strong> account
to your existing account? Enter your password to confirm.
</Alert>
{error && <Alert severity="error">{error}</Alert>}
<Stack component="form" onSubmit={handleLinkAccount} spacing={2}>
<TextField
label="Password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
required
fullWidth
autoComplete="current-password"
autoFocus
disabled={loading}
/>
<Button
type="submit"
variant="contained"
size="large"
fullWidth
disabled={loading}
>
{loading ? "Linking Account..." : "Link Account"}
</Button>
<Button
variant="outlined"
size="large"
fullWidth
onClick={handleUsePassword}
disabled={loading}
>
Sign in with Password Instead
</Button>
</Stack>
</Stack>
</CardContent>
</Card>
</Box>
);
}
Reference in New Issue View Git Blame Copy Permalink