mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-22 01:36:29 -05:00
fix(oauth2): Fix crash in rolesClaim extraction
This patch adds a try-catch around the rolesClaim extraction to prevent full crashes of HedgeDoc when a user profile is read, that doesn't contain any such claim, which can happen with some IdPs, like Keycloak, that omit the attribute when it's empty. As a result an authorized user would crash the entire server, which is definitely unintended behaviour. The simply try-catch should resolve the issue and make sure that roles is always defined even if the `extractProfileAttribute` call fails. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
parent
5db2fa1a0e
commit
1f1b2bd386
1 changed files with 7 additions and 1 deletions
|
@ -75,7 +75,13 @@ function checkAuthorization (data, done) {
|
|||
logger.error('oauth2: "accessRole" is configured, but "rolesClaim" is missing from the config. Can\'t check group membership!')
|
||||
} else {
|
||||
// parse and check role data
|
||||
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
|
||||
let roles = []
|
||||
try {
|
||||
roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
|
||||
} catch (err) {
|
||||
logger.warn(`oauth2: failed to extract rolesClaim '${config.oauth2.rolesClaim}' from user profile.`)
|
||||
return done('Permission denied', null)
|
||||
}
|
||||
if (!roles) {
|
||||
logger.error('oauth2: "accessRole" is configured, but user profile doesn\'t contain roles attribute. Permission denied')
|
||||
return done('Permission denied', null)
|
||||
|
|
Loading…
Reference in a new issue