SECURITY: Critical Internal Error Leak Exposes Stack Traces & Infrastructure Details to HTTP Clients

A critical security flaw in multiple authentication handlers is leaking raw internal error messages, including stack traces and infrastructure details, directly to end-user HTTP clients. This exposure transforms routine server errors into a potential reconnaissance tool, revealing implementation specifics that could be exploited for targeted attacks. The vulnerability is not isolated to a single endpoint but is systematically present across the core OIDC, OAuth, WebAuthn, and two-factor authentication flows, indicating a widespread pattern of insecure error handling.

The leak occurs because handlers pass the raw output of `err.Error()` directly into HTTP error responses. For instance, in `oidc.go`, lines such as `http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)` send unfiltered backend failure details to the client. Similar patterns are documented in `auth.go`, `oauth.go`, `webauthn.go`, and `twofactor.go`, where errors related to token exchange, ID token verification, user creation, and authentication failures are broadcast. This practice contravenes standard security protocols that mandate generic, user-friendly error messages to obscure system internals.

This pattern creates a significant information disclosure risk. Attackers probing the authentication system could harvest detailed error messages to map the application's internal structure, identify specific library versions, understand database schemas from 'failed to create user' errors, or pinpoint failure modes in cryptographic operations. While the immediate impact is reconnaissance, the leaked data lowers the barrier for crafting subsequent, more precise exploits. The flaw necessitates an urgent review and refactoring of all error-handling code to sanitize outputs before they reach the client.