fix: remove duplicate OIDC endpoint SSRF validation block

waleedlatif1 · claude · waleedlatif1 · commit 002748f91ee1 · 2026-03-26T15:34:10.000-07:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/auth/sso/register/route.ts b/apps/sim/app/api/auth/sso/register/route.ts
@@ -192,31 +192,36 @@ export async function POST(request: NextRequest) {
 
           const discovery = (await discoveryResponse.json()) as Record<string, unknown>
 
-          oidcConfig.authorizationEndpoint =
-            oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
-          oidcConfig.tokenEndpoint = oidcConfig.tokenEndpoint || discovery.token_endpoint
-          oidcConfig.userInfoEndpoint = oidcConfig.userInfoEndpoint || discovery.userinfo_endpoint
-          oidcConfig.jwksEndpoint = oidcConfig.jwksEndpoint || discovery.jwks_uri
+          const discoveredEndpoints: Record<string, unknown> = {
+            authorization_endpoint: discovery.authorization_endpoint,
+            token_endpoint: discovery.token_endpoint,
+            userinfo_endpoint: discovery.userinfo_endpoint,
+            jwks_uri: discovery.jwks_uri,
+          }
 
-          // Validate discovered endpoints against SSRF — these are fetched server-side
-          const endpointsToValidate = [
-            { name: 'tokenEndpoint', url: oidcConfig.tokenEndpoint },
-            { name: 'userInfoEndpoint', url: oidcConfig.userInfoEndpoint },
-            { name: 'jwksEndpoint', url: oidcConfig.jwksEndpoint },
-          ]
-          for (const { name, url } of endpointsToValidate) {
-            if (typeof url === 'string') {
-              const result = await validateUrlWithDNS(url, `OIDC ${name}`)
-              if (!result.isValid) {
-                logger.warn(`Discovered OIDC ${name} failed SSRF validation`, {
-                  url,
-                  error: result.error,
+          for (const [key, value] of Object.entries(discoveredEndpoints)) {
+            if (typeof value === 'string') {
+              const endpointValidation = await validateUrlWithDNS(value, `OIDC ${key}`)
+              if (!endpointValidation.isValid) {
+                logger.warn('OIDC discovered endpoint failed SSRF validation', {
+                  endpoint: key,
+                  url: value,
+                  error: endpointValidation.error,
                 })
-                return NextResponse.json({ error: result.error }, { status: 400 })
+                return NextResponse.json(
+                  { error: `Discovered OIDC ${key} failed security validation: ${endpointValidation.error}` },
+                  { status: 400 }
+                )
               }
             }
           }
 
+          oidcConfig.authorizationEndpoint =
+            oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
+          oidcConfig.tokenEndpoint = oidcConfig.tokenEndpoint || discovery.token_endpoint
+          oidcConfig.userInfoEndpoint = oidcConfig.userInfoEndpoint || discovery.userinfo_endpoint
+          oidcConfig.jwksEndpoint = oidcConfig.jwksEndpoint || discovery.jwks_uri
+
           logger.info('Merged OIDC endpoints (user-provided + discovery)', {
             providerId,
             issuer,
