fix(oauth2): Fix crash when profile fields are missing (#5850)

Co-authored-by: Lautaro Alvarez <lautaro@grava.digital>
2024-11-21 09:16:30 -05:00 · 2024-11-01 11:21:10 -03:00 · 2024-11-01 11:21:10 -03:00 · 4fdab806a3
commit 4fdab806a3
parent 0f06adb9c7
3 changed files with 17 additions and 24 deletions
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@ -20,7 +20,7 @@ class OAuth2CustomStrategy extends Strategy {

  userProfile (accessToken, done) {
    this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
-      let json
+      let json, profile

      if (err) {
        return done(new InternalOAuthError('Failed to fetch user profile', err))
@ -33,7 +33,11 @@ class OAuth2CustomStrategy extends Strategy {
      }

      checkAuthorization(json, done)
-      const profile = parseProfile(json)
+      try {
+        profile = parseProfile(json)
+      } catch (ex) {
+        return done('Failed to identify user profile information', null)
+      }
      profile.provider = 'oauth2'

      done(null, profile)
@ -97,7 +101,7 @@ function checkAuthorization (data, done) {

 OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
  this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
-    let json
+    let json, profile

    if (err) {
      return done(new InternalOAuthError('Failed to fetch user profile', err))
@ -110,7 +114,11 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
    }

    checkAuthorization(json, done)
-    const profile = parseProfile(json)
+    try {
+      profile = parseProfile(json)
+    } catch (ex) {
+      return done('Failed to identify user profile information', null)
+    }
    profile.provider = 'oauth2'

    done(null, profile)
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@ -1,5 +1,10 @@
 # Release Notes

+## <i class="fa fa-tag"></i> 1.x.x <i class="fa fa-calendar-o"></i> UNRELEASED
+
+### Bugfixes
+- Fix a crash when cannot read user profile in Oauth
+
 ## <i class="fa fa-tag"></i> 1.10.0 <i class="fa fa-calendar-o"></i> 2024-09-01

 This release fixes a security issue when using MySQL/MariaDB. We recommend upgrading as soon as possible, when you use
--- a/yarn.lock
+++ b/yarn.lock
@ -2938,26 +2938,6 @@ __metadata:
  languageName: node
  linkType: hard

-"body-parser@npm:1.20.2":
-  version: 1.20.2
-  resolution: "body-parser@npm:1.20.2"
-  dependencies:
-    bytes: "npm:3.1.2"
-    content-type: "npm:~1.0.5"
-    debug: "npm:2.6.9"
-    depd: "npm:2.0.0"
-    destroy: "npm:1.2.0"
-    http-errors: "npm:2.0.0"
-    iconv-lite: "npm:0.4.24"
-    on-finished: "npm:2.4.1"
-    qs: "npm:6.11.0"
-    raw-body: "npm:2.5.2"
-    type-is: "npm:~1.6.18"
-    unpipe: "npm:1.0.0"
-  checksum: 10/3cf171b82190cf91495c262b073e425fc0d9e25cc2bf4540d43f7e7bbca27d6a9eae65ca367b6ef3993eea261159d9d2ab37ce444e8979323952e12eb3df319a
-  languageName: node
-  linkType: hard
-
 "body-parser@npm:1.20.3":
  version: 1.20.3
  resolution: "body-parser@npm:1.20.3"