From 736985b79d7fb60058d213add7231c6e7ebcbb5e Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Mon, 22 Dec 2025 10:35:43 +0800
Subject: [PATCH] fix(auth): enforce HTML acceptance in OIDC login handler

---
 internal/auth/oidc.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index ea45f443..7ee3575e 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -231,6 +231,11 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 var rateLimit = rate.NewLimiter(rate.Every(time.Second), 1)
 
 func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	if !httputils.GetAccept(r.Header).AcceptHTML() {
+		http.Error(w, "authentication is required", http.StatusForbidden)
+		return
+	}
+
 	// check for session token
 	sessionToken, err := r.Cookie(auth.getAppScopedCookieName(CookieOauthSessionToken))
 	if err == nil { // session token exists