From 11281cfd1a733a479b61884a7811784b6403f2d0 Mon Sep 17 00:00:00 2001
From: Jealous <CooLanfei@163.com>
Date: Thu, 19 Feb 2026 23:28:41 +0800
Subject: [PATCH] fix(server): add missing return after error responses

In BeginAuthnRegistration (webauthn.go), missing return statements after
error responses caused the function to continue executing with a nil
authnInstance, potentially leading to a nil pointer panic.

In OIDCLoginCallback and SSOLoginCallback (ssologin.go), missing return
statements after GenerateToken/autoRegister errors caused the handler to
send a second response, resulting in a superfluous response write.

In SetThunderBrowser (offline_download.go), the default case of the
storage type switch sent an error response but did not return, causing
SaveSettingItems and tool initialization to continue executing even when
driver type validation failed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server/handles/offline_download.go | 1 +
 server/handles/ssologin.go         | 3 +++
 server/handles/webauthn.go         | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/server/handles/offline_download.go b/server/handles/offline_download.go
index 153b27293..b726d7152 100644
--- a/server/handles/offline_download.go
+++ b/server/handles/offline_download.go
@@ -448,6 +448,7 @@ func SetThunderBrowser(c *gin.Context) {
 		case *thunder_browser.ThunderBrowser, *thunder_browser.ThunderBrowserExpert:
 		default:
 			common.ErrorStrResp(c, "unsupported storage driver for offline download, only ThunderBrowser is supported", 400)
+			return
 		}
 	}
 	items := []model.SettingItem{
diff --git a/server/handles/ssologin.go b/server/handles/ssologin.go
index a36e79d38..4baabf6c1 100644
--- a/server/handles/ssologin.go
+++ b/server/handles/ssologin.go
@@ -256,11 +256,13 @@ func OIDCLoginCallback(c *gin.Context) {
 			user, err = autoRegister(userID, userID, err)
 			if err != nil {
 				common.ErrorResp(c, err, 400)
+				return
 			}
 		}
 		token, err := common.GenerateToken(user)
 		if err != nil {
 			common.ErrorResp(c, err, 400)
+			return
 		}
 		if useCompatibility {
 			c.Redirect(302, common.GetApiUrl(c)+"/@login?token="+token)
@@ -427,6 +429,7 @@ func SSOLoginCallback(c *gin.Context) {
 	token, err := common.GenerateToken(user)
 	if err != nil {
 		common.ErrorResp(c, err, 400)
+		return
 	}
 	if usecompatibility {
 		c.Redirect(302, common.GetApiUrl(c)+"/@login?token="+token)
diff --git a/server/handles/webauthn.go b/server/handles/webauthn.go
index c7ad4edfe..b2a0fbfb4 100644
--- a/server/handles/webauthn.go
+++ b/server/handles/webauthn.go
@@ -130,17 +130,20 @@ func BeginAuthnRegistration(c *gin.Context) {
 	authnInstance, err := authn.NewAuthnInstance(c)
 	if err != nil {
 		common.ErrorResp(c, err, 400)
+		return
 	}
 
 	options, sessionData, err := authnInstance.BeginRegistration(user)
 
 	if err != nil {
 		common.ErrorResp(c, err, 400)
+		return
 	}
 
 	val, err := json.Marshal(sessionData)
 	if err != nil {
 		common.ErrorResp(c, err, 400)
+		return
 	}
 
 	common.SuccessResp(c, gin.H{