Merge Fix 06 (HIGH A-6): strict UA/IP binding — close request-empty bypass in MED-16

# Conflicts: # CHANGELOG.md # internal/api/handler/auth_session_oidc.go # internal/api/handler/auth_session_oidc_test.go
2026-06-11 08:38:52 +00:00 · 2026-05-11 11:19:04 +00:00
parent 4e31568d3d 92519436a1
commit 11b145b641
5 changed files with 209 additions and 2 deletions
@@ -1275,6 +1275,14 @@ func classifyOIDCFailure(err error) string {
 	// detail subject to change.
 	case errors.Is(err, oidcsvc.ErrUserDeactivated):
 		return "user_deactivated"
+	// Audit 2026-05-11 A-6 — strict-when-stored. Distinguishes the
+	// new "request omitted the bound header" reject path from the
+	// existing "header was supplied but didn't match" path so SIEM
+	// rules can alert specifically on attempted bypasses.
+	case errors.Is(err, oidcsvc.ErrPreLoginUAMissing):
+		return "prelogin_ua_missing"
+	case errors.Is(err, oidcsvc.ErrPreLoginIPMissing):
+		return "prelogin_ip_missing"
 	}
 	msg := strings.ToLower(err.Error())
 	switch {