fix: Validate authData provider values in challenge endpoint

[mtrezza]

Issue

The /challenge endpoint accesses authData[key].id without checking whether the provider value is a non-null object. Sending { authData: { anonymous: null } } causes a TypeError: Cannot read properties of null (reading 'id') and returns a 500.

Fix: validate each provider value is a non-null object before accessing properties, and add null-safe .id access in the filter and find expressions.

Tasks

• Add tests
• Add changes
• Add security check
• Add benchmark

Summary by CodeRabbit

• Bug Fixes

  • Challenge endpoint now enforces stricter validation of authData entries, rejecting non-object or invalid provider values and only treating providers with valid ids as present, returning appropriate 4xx errors.

• Tests

  • Added tests for authData provider value validation and edge cases to ensure 4xx handling and prevent 5xx crashes.
  • Removed two obsolete tests related to authData dotted-key injection and a related login crash scenario.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c09883ef-64c8-4569-a661-f675ee06f70e

📥 Commits

Reviewing files that changed from the base of the PR and between 63a6d21 and ed7a9b8.

📒 Files selected for processing (2)

• spec/AuthenticationAdaptersV2.spec.js
• spec/vulnerabilities.spec.js

💤 Files with no reviewable changes (1)

• spec/vulnerabilities.spec.js

---

📝 Walkthrough

Walkthrough

Reworks authData-related tests between spec files and tightens UsersRouter.handleChallenge: it now rejects non-object top-level authData entries and counts only providers with a truthy authData[key].id for multi-provider detection.

Changes

Cohort / File(s)	Summary
Tests — removed spec/vulnerabilities.spec.js	Removed two tests under "authData dot-notation injection and login crash" (dotted update key rejection and login crash with unknown provider).
Tests — added spec/AuthenticationAdaptersV2.spec.js	Added tests for authData dot-notation injection and challenge endpoint authData provider value validation (cases for null and non-object provider values).
Backend validation src/Routers/UsersRouter.js	In handleChallenge, validate each top-level authData entry is an object (throwing an error naming the key if not) and treat a provider as present only if authData[key] && authData[key].id (truthy id).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: Block dot-notation updates to authData sub-fields and harden login provider checks #10223: Related work hardening authData handling and blocking dot-notation authData updates.
• fix: Empty authData bypasses credential requirement on signup (GHSA-wjqw-r9x4-j59v) #10219: Related changes tightening authData validation for non-object/invalid provider values.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding validation for authData provider values in the challenge endpoint, which is the core fix implemented across the modified files.
Description check	✅ Passed	The description provides the issue, approach, and completed tasks, but the template section on 'Add security check' remains unchecked despite being mentioned as pending in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.58%. Comparing base (12c24c6) to head (ed7a9b8).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10224      +/-   ##
==========================================
- Coverage   92.59%   92.58%   -0.01%     
==========================================
  Files         192      192              
  Lines       16304    16307       +3     
  Branches      199      199              
==========================================
+ Hits        15096    15098       +2     
- Misses       1191     1192       +1     
  Partials       17       17              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.31