refactor: only accept claims following the OIDC spec

2025-10-29 05:05:42 +00:00 · 2025-04-25 15:28:24 +03:00
parent 13032e564d
commit 5e4e2ddbd9
7 changed files with 32 additions and 19 deletions
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -189,7 +189,7 @@ func init() {
 	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
 	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
 	rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
-	rootCmd.Flags().String("generic-name", "Other", "Generic OAuth provider name.")
+	rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
 	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
 	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
 	rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -7,3 +7,14 @@ var TinyauthLabels = []string{
 	"tinyauth.allowed",
 	"tinyauth.headers",
 }
+
+// Claims are the OIDC supported claims
+type Claims struct {
+	Name       string `json:"name"`
+	FamilyName string `json:"family_name"`
+	GivenName  string `json:"given_name"`
+	MiddleName string `json:"middle_name"`
+	Nickname   string `json:"nickname"`
+	Picture    string `json:"picture"`
+	Email      string `json:"email"`
+}
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -625,22 +625,20 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {

 	log.Debug().Msg("Got user")

-	// Get email
-	email, ok := user["email"].(string)
-
-	if !ok {
-		log.Error().Msg("Failed to get email from user")
+	// Check that email is not empty
+	if user.Email == "" {
+		log.Warn().Msg("Email is empty")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}

 	// Email is not whitelisted
-	if !h.Auth.EmailWhitelisted(email) {
-		log.Warn().Str("email", email).Msg("Email not whitelisted")
+	if !h.Auth.EmailWhitelisted(user.Email) {
+		log.Warn().Str("email", user.Email).Msg("Email not whitelisted")

 		// Build query
 		queries, err := query.Values(types.UnauthorizedQuery{
-			Username: email,
+			Username: user.Email,
 		})

 		// Handle error
@@ -658,7 +656,7 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {

 	// Create session cookie (also cleans up redirect cookie)
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: email,
+		Username: user.Email,
 		Provider: providerName.Provider,
 	})

--- a/internal/providers/generic.go
+++ b/internal/providers/generic.go
@@ -4,13 +4,14 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"

 	"github.com/rs/zerolog/log"
 )

-func GetGenericUser(client *http.Client, url string) (map[string]interface{}, error) {
+func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims

 	// Using the oauth client get the user info url
 	res, err := client.Get(url)
--- a/internal/providers/github.go
+++ b/internal/providers/github.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"

 	"github.com/rs/zerolog/log"
 )
@@ -20,9 +21,9 @@ func GithubScopes() []string {
 	return []string{"user:email"}
 }

-func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
+func GetGithubUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims

 	// Get the user emails from github using the oauth http client
 	res, err := client.Get("https://api.github.com/user/emails")
@@ -60,7 +61,7 @@ func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
 	// Find and return the primary email
 	for _, email := range emails {
 		if email.Primary {
-			user["email"] = email.Email
+			user.Email = email.Email
 			return user, nil
 		}
 	}
--- a/internal/providers/google.go
+++ b/internal/providers/google.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"

 	"github.com/rs/zerolog/log"
 )
@@ -13,9 +14,9 @@ func GoogleScopes() []string {
 	return []string{"https://www.googleapis.com/auth/userinfo.email"}
 }

-func GetGoogleUser(client *http.Client) (map[string]interface{}, error) {
+func GetGoogleUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims

 	// Get the user info from google using the oauth http client
 	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
--- a/internal/providers/providers.go
+++ b/internal/providers/providers.go
@@ -2,6 +2,7 @@ package providers

 import (
 	"fmt"
+	"tinyauth/internal/constants"
 	"tinyauth/internal/oauth"
 	"tinyauth/internal/types"

@@ -93,9 +94,9 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 	}
 }

-func (providers *Providers) GetUser(provider string) (map[string]interface{}, error) {
+func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims

 	// Get the user from the provider
 	switch provider {