Second-pass audit findings (spec 29):
- S2 [MED] OIDC auto-link-by-email lacks the SCIM account-takeover guard:
idp/linker.go Step 2 links an IdP-asserted email to any existing user (incl. a local password admin) with no HasPassword/TrustEmailAssertions check. Mirror scim/users_create.go:113.
- S3 [MED]
GetSSOLoginURL is public but absent from the rate-limit ladder, and CleanupExpiredAuthStates is never scheduled → unbounded auth_states growth + outbound OIDC-discovery amplification.
- S4 [MED] Blind SSRF:
newBoundedOIDCClient has no net.Dialer.Control denylist and issuer_url is validated only required,url — an insider can point discovery/token URLs at internal addresses.
Second-pass audit findings (spec 29):
idp/linker.goStep 2 links an IdP-asserted email to any existing user (incl. a local password admin) with noHasPassword/TrustEmailAssertionscheck. Mirrorscim/users_create.go:113.GetSSOLoginURLis public but absent from the rate-limit ladder, andCleanupExpiredAuthStatesis never scheduled → unboundedauth_statesgrowth + outbound OIDC-discovery amplification.newBoundedOIDCClienthas nonet.Dialer.Controldenylist andissuer_urlis validated onlyrequired,url— an insider can point discovery/token URLs at internal addresses.