From cc9163f577280d7c278dc744e20d0505dbe83ede Mon Sep 17 00:00:00 2001
From: Elias Schneider <login@eliasschneider.com>
Date: Tue, 19 May 2026 16:28:30 +0200
Subject: [PATCH] fix: make stream of downloaded logos seekable for S3 checksum
 calculation

---
 backend/internal/service/oidc_service.go | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go
index bf093bdd..1deeca44 100644
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -1,6 +1,7 @@
 package service
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"crypto/subtle"
@@ -2154,11 +2155,20 @@ func (s *OidcService) downloadAndSaveLogoFromURL(parentCtx context.Context, clie
 		darkSuffix = "-dark"
 	}
 
-	imagePath := path.Join("oidc-client-images", clientID+darkSuffix+"."+ext)
-	err = s.fileStorage.Save(ctx, imagePath, utils.NewLimitReader(resp.Body, maxLogoSize+1))
+	// Buffer the body so that storage backends receive a seekable reader with a known content length,
+	// which is required for correct checksum calculation on S3-compatible services
+	limitedBody := utils.NewLimitReader(resp.Body, maxLogoSize+1)
+	buf, err := io.ReadAll(limitedBody)
 	if errors.Is(err, utils.ErrSizeExceeded) {
-		return errLogoTooLarge
-	} else if err != nil {
+		if errors.Is(err, utils.ErrSizeExceeded) {
+			return errLogoTooLarge
+		} else if err != nil {
+			return err
+		}
+	}
+
+	imagePath := path.Join("oidc-client-images", clientID+darkSuffix+"."+ext)
+	if err = s.fileStorage.Save(ctx, imagePath, bytes.NewReader(buf)); err != nil {
 		return err
 	}