From 2ebd10b1e94a4a3661747f250ac52f88acc12ff2 Mon Sep 17 00:00:00 2001
From: Emmanuel Nelson <elnels@gmail.com>
Date: Tue, 13 Jan 2026 11:21:15 -0500
Subject: [PATCH] Restrict form size validation to non-GET requests

Form size validation is now only applied to POST, PUT, and PATCH requests. This allows GET requests with long query parameters, such as OIDC callbacks, to bypass the form size check.
---
 server/auth/handlers/handler.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/server/auth/handlers/handler.go b/server/auth/handlers/handler.go
index 4f512cdb5e..9fac864026 100644
--- a/server/auth/handlers/handler.go
+++ b/server/auth/handlers/handler.go
@@ -215,9 +215,13 @@ func (h *AuthHandlers) handle(fn handlerFn) http.HandlerFunc {
 				return
 			}
 
-			if !validFormPost(r) {
-				req.Status = http.StatusRequestEntityTooLarge
-				return
+			// Only validate form post for actual POST/PUT/PATCH requests, not GET
+			// GET requests with query params (like OIDC callbacks) can have long values
+			if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodPatch {
+				if !validFormPost(r) {
+					req.Status = http.StatusRequestEntityTooLarge
+					return
+				}
 			}
 
 			req.Client = request.GetOauth2Client(req.Session)