From 503bd8de746c09a1c861d6a7aaf2f279bd6ccd7f Mon Sep 17 00:00:00 2001
From: John van der Wulp <john@wulp.org>
Date: Thu, 5 Mar 2026 16:33:10 +0100
Subject: [PATCH] Add validation for responsemode and test

---
 backend/internal/dto/oidc_dto.go         |  2 +-
 backend/internal/dto/validations.go      | 18 ++++++++++++++++++
 backend/internal/dto/validations_test.go | 19 +++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/backend/internal/dto/oidc_dto.go b/backend/internal/dto/oidc_dto.go
index a6494b9b..b6eabb19 100644
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -71,7 +71,7 @@ type AuthorizeOidcClientRequestDto struct {
 	CodeChallenge         string `json:"codeChallenge"`
 	CodeChallengeMethod   string `json:"codeChallengeMethod"`
 	ReauthenticationToken string `json:"reauthenticationToken"`
-	ResponseMode          string `json:"responseMode"`
+	ResponseMode          string `json:"responseMode" binding:"omitempty,response_mode"`
 }
 
 type AuthorizeOidcClientResponseDto struct {
diff --git a/backend/internal/dto/validations.go b/backend/internal/dto/validations.go
index 135706fa..c7491f97 100644
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -51,6 +51,12 @@ func init() {
 	}); err != nil {
 		panic("Failed to register custom validation for callback_url: " + err.Error())
 	}
+
+	if err := v.RegisterValidation("response_mode", func(fl validator.FieldLevel) bool {
+		return ValidateResponseMode(fl.Field().String())
+	}); err != nil {
+		panic("Failed to register custom validation for response_mode: " + err.Error())
+	}
 }
 
 // ValidateUsername validates username inputs
@@ -68,3 +74,15 @@ func ValidateCallbackURL(raw string) bool {
 	err := utils.ValidateCallbackURLPattern(raw)
 	return err == nil
 }
+
+// ValidateResponseMode validates response_mode parameter
+// If responseMode is present, it must be either "form_post" or "query"
+// Empty responseMode is allowed (will use default behavior)
+func ValidateResponseMode(responseMode string) bool {
+	// Empty responseMode is allowed (field not provided, use default)
+	if responseMode == "" {
+		return true
+	}
+	// If present, it must be form_post or query
+	return responseMode == "form_post" || responseMode == "query"
+}
diff --git a/backend/internal/dto/validations_test.go b/backend/internal/dto/validations_test.go
index f6449068..ec52b53e 100644
--- a/backend/internal/dto/validations_test.go
+++ b/backend/internal/dto/validations_test.go
@@ -56,3 +56,22 @@ func TestValidateClientID(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateResponseMode(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"valid form_post", "form_post", true},
+		{"valid query", "query", true},
+		{"valid empty", "", true},
+		{"invalid fragment", "fragment", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, ValidateResponseMode(tt.input))
+		})
+	}
+}