Merge Fix 06 (HIGH A-6): strict UA/IP binding — close request-empty bypass in MED-16

# Conflicts: # CHANGELOG.md # internal/api/handler/auth_session_oidc.go # internal/api/handler/auth_session_oidc_test.go
2026-06-11 11:48:59 +00:00 · 2026-05-11 11:19:04 +00:00
parent 4e31568d3d 92519436a1
commit 11b145b641
5 changed files with 209 additions and 2 deletions
@@ -1222,6 +1222,17 @@ func TestClassifyOIDCFailure(t *testing.T) {
 		// round-trip).
 		{oidcsvc.ErrUserDeactivated, "user_deactivated"},
 		{fmt.Errorf("upstream: %w", oidcsvc.ErrUserDeactivated), "user_deactivated"},
+		// Audit 2026-05-11 A-6 — strict-when-stored. Distinguishes the
+		// new request-omitted-binding reject path from the existing
+		// mismatch leg. Wrapped variants must round-trip through
+		// errors.Is so the audit category remains stable even when
+		// the service layer adds context wrapping.
+		{oidcsvc.ErrPreLoginUAMismatch, "prelogin_ua_mismatch"},
+		{oidcsvc.ErrPreLoginIPMismatch, "prelogin_ip_mismatch"},
+		{oidcsvc.ErrPreLoginUAMissing, "prelogin_ua_missing"},
+		{oidcsvc.ErrPreLoginIPMissing, "prelogin_ip_missing"},
+		{fmt.Errorf("upstream: %w", oidcsvc.ErrPreLoginUAMissing), "prelogin_ua_missing"},
+		{fmt.Errorf("upstream: %w", oidcsvc.ErrPreLoginIPMissing), "prelogin_ip_missing"},
 		{errors.New("some other error"), "unspecified"},
 	}
 	for _, tc := range cases {