From 17a535866b5605d6b2f3f08d187ecff2b82ed316 Mon Sep 17 00:00:00 2001
From: Daniel Volz <mail@danielvolz.org>
Date: Sun, 28 Dec 2025 02:15:26 +0100
Subject: [PATCH] feat(oidc): handle missing sub claim in token and redirect
 with error

---
 backend/src/routes/oidc.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/src/routes/oidc.ts b/backend/src/routes/oidc.ts
index ca46ff1..9025812 100644
--- a/backend/src/routes/oidc.ts
+++ b/backend/src/routes/oidc.ts
@@ -157,7 +157,12 @@ export async function oidcRoutes(app: FastifyInstance) {
         });
         
         // Get user info
-        const userInfo = await client.fetchUserInfo(config, tokens.access_token, tokens.claims()?.sub);
+        const sub = tokens.claims()?.sub;
+        if (!sub) {
+          console.error("[OIDC] Missing sub claim in token");
+          return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
+        }
+        const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
         
         // Extract username from configured claim
         const usernameClaim = env.OIDC_USERNAME_CLAIM;