Severity: Medium
Area: Web — identity / invitations
Location
web/src/lib/invitations.ts:117-134; web/src/lib/auth-providers.ts:130
Problem
Workspace membership from a pending invite is granted purely by matching lower(email) between the OAuth profile and the invite. For the generic OIDC provider emailVerified is never checked, and the Microsoft path hardcodes emailVerified: true (auth-providers.ts:130).
Why it matters
If any configured IdP lets a user assert an unverified or attacker-controlled email, that user auto-joins the invited workspace at the invited role.
Suggested fix
Require emailVerified (from the IdP claim) before honoring an invite, and document the IdP trust assumption.
Severity: Medium
Area: Web — identity / invitations
Location
web/src/lib/invitations.ts:117-134;web/src/lib/auth-providers.ts:130Problem
Workspace membership from a pending invite is granted purely by matching
lower(email)between the OAuth profile and the invite. For the generic OIDC provideremailVerifiedis never checked, and the Microsoft path hardcodesemailVerified: true(auth-providers.ts:130).Why it matters
If any configured IdP lets a user assert an unverified or attacker-controlled email, that user auto-joins the invited workspace at the invited role.
Suggested fix
Require
emailVerified(from the IdP claim) before honoring an invite, and document the IdP trust assumption.