fix(login): omit client_id from password_login body when empty #13

Merged

YousifShkara merged 1 commit from fix/login-skip-empty-client-id into main

2026-05-29 06:51:00 +02:00

YousifShkara commented

2026-05-29 06:50:55 +02:00

Owner

bunyip-web's password_login unconditionally put cfg.client_id into the JSON body it POSTed to mokosh-server's /v1/auth/login. mokosh-server types LoginRequest.client_id as Option<uuid::Uuid>; serde's behaviour for that shape accepts a missing field or null as None, accepts a valid UUID string as Some, and 422s on anything else (including the empty string).

bunyip-web's OidcConfig::from_env() falls back to "" whenever the image was built without BUNYIP_OIDC_CLIENT_ID set - the common shape for staging deploys where the SaaS shell only needs an OP-session cookie (no per-RP token bundle). On those deploys every /login submit returned 422 Unprocessable Content; the SPA mapped that to the generic "Email or password didn't match" toast even when the credentials were correct, and the audit log contained zero matching attempts because the request never made it past the deserialiser.

Switch to a json!() builder that includes client_id only when the configured value is non-empty. mokosh-server then deserialises the body as client_id: None and falls back to the legacy session-cookie-only flow, which is what staging actually wants.

Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com

bunyip-web's password_login unconditionally put `cfg.client_id` into the JSON body it POSTed to mokosh-server's /v1/auth/login. mokosh-server types LoginRequest.client_id as `Option<uuid::Uuid>`; serde's behaviour for that shape accepts a missing field or null as None, accepts a valid UUID string as Some, and 422s on anything else (including the empty string). bunyip-web's OidcConfig::from_env() falls back to `""` whenever the image was built without BUNYIP_OIDC_CLIENT_ID set - the common shape for staging deploys where the SaaS shell only needs an OP-session cookie (no per-RP token bundle). On those deploys every /login submit returned 422 Unprocessable Content; the SPA mapped that to the generic "Email or password didn't match" toast even when the credentials were correct, and the audit log contained zero matching attempts because the request never made it past the deserialiser. Switch to a json!() builder that includes `client_id` only when the configured value is non-empty. mokosh-server then deserialises the body as `client_id: None` and falls back to the legacy session-cookie-only flow, which is what staging actually wants. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

YousifShkara self-assigned this

2026-05-29 06:50:55 +02:00

YousifShkara added 1 commit

2026-05-29 06:50:55 +02:00

fix(login): omit client_id from password_login body when empty

build / Build and push OCI images (pull_request) Has been skipped

Details

build / Lint and type-check (pull_request) Successful in 14s

Details

ae197fb2fe

bunyip-web's password_login unconditionally put `cfg.client_id` into the JSON body it POSTed to mokosh-server's /v1/auth/login. mokosh-server types LoginRequest.client_id as `Option<uuid::Uuid>`; serde's behaviour for that shape accepts a missing field or null as None, accepts a valid UUID string as Some, and 422s on anything else (including the empty string).

bunyip-web's OidcConfig::from_env() falls back to `""` whenever the image was built without BUNYIP_OIDC_CLIENT_ID set - the common shape for staging deploys where the SaaS shell only needs an OP-session cookie (no per-RP token bundle). On those deploys every /login submit returned 422 Unprocessable Content; the SPA mapped that to the generic "Email or password didn't match" toast even when the credentials were correct, and the audit log contained zero matching attempts because the request never made it past the deserialiser.

Switch to a json!() builder that includes `client_id` only when the configured value is non-empty. mokosh-server then deserialises the body as `client_id: None` and falls back to the legacy session-cookie-only flow, which is what staging actually wants.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

YousifShkara merged commit bc9a734a05 into main

2026-05-29 06:51:00 +02:00

YousifShkara deleted branch fix/login-skip-empty-client-id

2026-05-29 06:51:00 +02:00

YousifShkara referenced this pull request from a commit

2026-05-29 06:51:01 +02:00

Merge pull request 'fix(login): omit client_id from password_login body when empty' (#13) from fix/login-skip-empty-client-id into main