From 0f6ff82b5751b4375a5faf57ece5c843627f2b41 Mon Sep 17 00:00:00 2001 From: Don Kingdon Date: Mon, 13 Apr 2026 00:48:11 +0000 Subject: [PATCH] Guard OTB Cloud handoff against invalid uid --- app/auth/routes.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/auth/routes.py b/app/auth/routes.py index 10514e0..7bd107b 100644 --- a/app/auth/routes.py +++ b/app/auth/routes.py @@ -25,7 +25,12 @@ def handoff(): if not is_valid_signature(email=email, ts=ts, portal_user_id=portal_user_id, sig=sig): return render_template("auth/handoff_error.html", message="Invalid handoff signature."), 403 - identity = ensure_user_tenant_and_devices(email=email, portal_user_id=int(portal_user_id)) + try: + portal_user_id_int = int(portal_user_id) + except (TypeError, ValueError): + return render_template("auth/handoff_error.html", message="Invalid portal account identifier."), 400 + + identity = ensure_user_tenant_and_devices(email=email, portal_user_id=portal_user_id_int) session.clear() session["otb_user_id"] = identity["user_id"]