From df37c56a2ad9268c4a05b25e930fc0cfd515bc27 Mon Sep 17 00:00:00 2001
From: Alex Dolski <alexd@n-ary.net>
Date: Wed, 7 Feb 2024 09:49:07 -0600
Subject: [PATCH] create() returns HTTP 404 for an unrecognized provider

---
 app/controllers/sessions_controller.rb       |  4 ++++
 test/controllers/sessions_controller_test.rb | 18 ++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 1a3242ac..6bbefb63 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -37,6 +37,10 @@ def new
   #
   def create
     auth = request.env["omniauth.auth"]
+    unless %w[developer identity saml].include?(params[:provider])
+      render plain: "404 Not Found", status: :not_found
+      return
+    end
     user = User.from_omniauth(auth, institution: current_institution)
     if !user&.enabled
       unauthorized(message: "This user account is disabled.") and return
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index df88d559..fb92f4ed 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -13,6 +13,16 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
   # create()
 
+  test "create() via GET with an invalid strategy returns HTTP 404" do
+    get "/auth/bogus/callback"
+    assert_response :not_found
+  end
+
+  test "create() via POST with an invalid strategy returns HTTP 404" do
+    post "/auth/bogus/callback"
+    assert_response :not_found
+  end
+
   test "create() with identity strategy with invalid credentials redirects to
   failure route" do
     post "/auth/identity/callback", params: {
@@ -104,21 +114,21 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
 
   test "create() with saml strategy with a disabled user redirects to the
   return URL" do
-    skip # TODO: figure out how to write this
+    skip
   end
 
   test "create() with saml strategy with sysadmin user of different institution
   redirects to the return URL" do
-    skip # TODO: figure out how to write this
+    skip
   end
 
   test "create() with saml strategy redirects to the institution root URL" do
-    skip # TODO: figure out how to write this
+    skip
   end
 
   test "create() with saml strategy with valid credentials ascribes a correct
   Login object" do
-    skip # TODO: figure out how to write this
+    skip
   end
 
   # destroy()