refactor: only accept claims following the OIDC spec

internal/constants/constants.go

@@ -7,3 +7,14 @@ var TinyauthLabels = []string{
 	"tinyauth.allowed",
 	"tinyauth.headers",
 }
+
+// Claims are the OIDC supported claims
+type Claims struct {
+	Name       string `json:"name"`
+	FamilyName string `json:"family_name"`
+	GivenName  string `json:"given_name"`
+	MiddleName string `json:"middle_name"`
+	Nickname   string `json:"nickname"`
+	Picture    string `json:"picture"`
+	Email      string `json:"email"`
+}

internal/handlers/handlers.go

@@ -625,22 +625,20 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	log.Debug().Msg("Got user")
 
-	// Get email
-	email, ok := user["email"].(string)
-
-	if !ok {
-		log.Error().Msg("Failed to get email from user")
+	// Check that email is not empty
+	if user.Email == "" {
+		log.Warn().Msg("Email is empty")
 		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
 		return
 	}
 
 	// Email is not whitelisted
-	if !h.Auth.EmailWhitelisted(email) {
-		log.Warn().Str("email", email).Msg("Email not whitelisted")
+	if !h.Auth.EmailWhitelisted(user.Email) {
+		log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
 
 		// Build query
 		queries, err := query.Values(types.UnauthorizedQuery{
-			Username: email,
+			Username: user.Email,
 		})
 
 		// Handle error
@@ -658,7 +656,7 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
 
 	// Create session cookie (also cleans up redirect cookie)
 	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
-		Username: email,
+		Username: user.Email,
 		Provider: providerName.Provider,
 	})
 

internal/providers/generic.go

@@ -4,13 +4,14 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
 
-func GetGenericUser(client *http.Client, url string) (map[string]interface{}, error) {
+func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Using the oauth client get the user info url
 	res, err := client.Get(url)

internal/providers/github.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
@@ -20,9 +21,9 @@ func GithubScopes() []string {
 	return []string{"user:email"}
 }
 
-func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
+func GetGithubUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Get the user emails from github using the oauth http client
 	res, err := client.Get("https://api.github.com/user/emails")
@@ -60,7 +61,7 @@ func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
 	// Find and return the primary email
 	for _, email := range emails {
 		if email.Primary {
-			user["email"] = email.Email
+			user.Email = email.Email
 			return user, nil
 		}
 	}

internal/providers/google.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"tinyauth/internal/constants"
 
 	"github.com/rs/zerolog/log"
 )
@@ -13,9 +14,9 @@ func GoogleScopes() []string {
 	return []string{"https://www.googleapis.com/auth/userinfo.email"}
 }
 
-func GetGoogleUser(client *http.Client) (map[string]interface{}, error) {
+func GetGoogleUser(client *http.Client) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Get the user info from google using the oauth http client
 	res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")

internal/providers/providers.go

@@ -2,6 +2,7 @@ package providers
 
 import (
 	"fmt"
+	"tinyauth/internal/constants"
 	"tinyauth/internal/oauth"
 	"tinyauth/internal/types"
 
@@ -93,9 +94,9 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
 	}
 }
 
-func (providers *Providers) GetUser(provider string) (map[string]interface{}, error) {
+func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
 	// Create user struct
-	user := make(map[string]interface{})
+	var user constants.Claims
 
 	// Get the user from the provider
 	switch provider {