hermes-agent/plugins
Ben Barclay fbf748b282
fix(dashboard-auth): follow redirects on self-hosted OIDC discovery (#53399)
The self-hosted OIDC provider fetched the discovery document with a bare
httpx.get(). httpx defaults to follow_redirects=False (unlike curl -L or
the requests library), so when an IDP answers GET
/.well-known/openid-configuration with a 3xx — Authentik canonicalises the
.well-known path, and any IDP behind a reverse proxy doing an http→https
upgrade redirects too — the bare redirect (empty body) tripped the
status != 200 guard and raised 'OIDC discovery returned 302', which
routes.py maps to the provider_unreachable audit event and a 503. The
browser surfaced 'Auth provider self-hosted unreachable'.

The user's smoking gun (curl -o writing zero bytes from inside the
container) is exactly a redirect with no body — the same wall the code hit.

Add follow_redirects=True to the discovery GET only. It's safe: the
issuer-pin check and _require_https_or_loopback still validate the resolved
document and every endpoint, so a redirect can't smuggle in a bad issuer or
a cleartext endpoint. The token/revocation POSTs deliberately keep the
no-follow default (they carry an auth code / refresh token and the endpoint
is already the canonical absolute URL).

Existing discovery tests mocked httpx.get with a canned 200 and never
exercised a real 3xx. Add a regression test that runs a real loopback
server returning a 302 on the .well-known path — fails without the fix
(ProviderError: discovery returned 302), passes with it.
2026-06-27 14:14:51 +10:00
..
browser fix: guard int(os.getenv()) casts against malformed env vars (#40598) 2026-06-07 06:14:24 -07:00
context_engine feat(context-engine): host contract for external context engines 2026-05-28 01:45:30 -07:00
cron_providers fix(cron): avoid provider package shadowing core cron 2026-06-23 23:39:22 -07:00
dashboard_auth fix(dashboard-auth): follow redirects on self-hosted OIDC discovery (#53399) 2026-06-27 14:14:51 +10:00
disk-cleanup 🐛 fix(disk-cleanup): avoid brittle sweep review issues 2026-06-15 05:25:27 -07:00
google_meet fix: prevent TUI gateway stdin EOF crash across all TUI-context subprocess calls 2026-06-08 22:46:57 -07:00
hermes-achievements revert(plugins): restore user dashboard plugin backend API auto-import (#43719) (#51950) 2026-06-24 07:46:54 -07:00
image_gen fix shape 2026-06-25 12:38:33 -07:00
kanban fix(security): sanitize kanban markdown html 2026-06-21 13:10:17 -07:00
memory feat(openviking): add full recall prefetch policy 2026-06-24 18:53:49 +05:30
model-providers feat: add reasoning_effort support to ollama-cloud provider 2026-06-23 11:51:43 -07:00
observability fix(langfuse): bound _TRACE_STATE growth from non-finalizing turns 2026-06-18 12:59:41 +05:30
platforms fix: remove duplicated table renderer from Telegram adapter 2026-06-27 03:57:24 +05:30
security-guidance plugins: add security-guidance — pattern-matched warnings on dangerous code writes (#33131) 2026-05-27 02:07:21 -07:00
spotify chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
teams_pipeline chore: prune unused imports and duplicate import redefinitions 2026-05-28 22:26:25 -07:00
video_gen fix(plugins): thread-safe lazy-singleton helpers; fix honcho TOCTOU (#24759) (#42150) 2026-06-08 09:35:22 -07:00
web fix(ddgs): bound DuckDuckGo search with a wall-clock timeout (#36776) 2026-06-25 01:45:06 +05:30
__init__.py feat(memory): pluggable memory provider interface with profile isolation, review fixes, and honcho CLI restoration (#4623) 2026-04-02 15:33:51 -07:00
plugin_utils.py fix(plugins): thread-safe lazy-singleton helpers; fix honcho TOCTOU (#24759) (#42150) 2026-06-08 09:35:22 -07:00