feat(backend): add response type validation in OAuth2 authorization

Author: Lasim

services/backend/src/routes/oauth2/authorization.ts

@@ -46,11 +46,24 @@ export default async function authorizationRoute(fastify: FastifyInstance) {
         code_challenge_method
       } = request.query as z.infer<typeof authorizationQuerySchema>;
 
+      // Validate response_type (additional validation beyond schema)
+      if (response_type !== 'code') {
+        request.log.warn({
+          operation: 'oauth2_authorization',
+          responseType: response_type,
+          error: 'unsupported_response_type',
+        }, 'Unsupported OAuth2 response type');
+
+        const errorUrl = `${redirect_uri}?error=unsupported_response_type&error_description=${encodeURIComponent('Only "code" response type is supported')}&state=${state}`;
+        return reply.redirect(errorUrl);
+      }
+
       request.log.debug({
         operation: 'oauth2_authorization',
         clientId: client_id,
         redirectUri: redirect_uri,
         scope,
+        responseType: response_type,
         codeChallengeMethod: code_challenge_method,
       }, 'OAuth2 authorization request received');
 

services/backend/src/routes/teams/index.ts

@@ -40,17 +40,6 @@ export default async function teamsRoute(fastify: FastifyInstance) {
       requireOAuthScope('teams:read')
     ]
   }, async (request: FastifyRequest, reply: FastifyReply) => {
-    const authType = request.tokenPayload ? 'oauth2' : 'cookie';
-    const userId = request.user!.id;
-
-    request.log.debug({
-      operation: 'get_user_default_team',
-      userId,
-      authType,
-      clientId: request.tokenPayload?.clientId,
-      scope: request.tokenPayload?.scope,
-      endpoint: request.url
-    }, 'Authentication method determined for default team retrieval');
     try {
       if (!request.user) {
         return reply.status(401).send({
@@ -59,6 +48,18 @@ export default async function teamsRoute(fastify: FastifyInstance) {
         });
       }
 
+      const authType = request.tokenPayload ? 'oauth2' : 'cookie';
+      const userId = request.user.id;
+
+      request.log.debug({
+        operation: 'get_user_default_team',
+        userId,
+        authType,
+        clientId: request.tokenPayload?.clientId,
+        scope: request.tokenPayload?.scope,
+        endpoint: request.url
+      }, 'Authentication method determined for default team retrieval');
+
       const defaultTeam = await TeamService.getUserDefaultTeam(request.user.id);
 
       if (!defaultTeam) {

services/backend/tests/unit/routes/teams.test.ts

@@ -100,6 +100,12 @@ describe('Teams Route', () => {
       user: {
         id: 'user-123',
       } as any, // Use any to avoid complex Lucia User type issues in tests
+      log: {
+        debug: vi.fn(),
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+      },
     } as any;
 
     mockReply = {