barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-11-03 07:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: only accept claims following the OIDC spec

Browse Source
This commit is contained in:
Stavros
2025-04-25 15:28:24 +03:00
parent 13032e564d
commit 5e4e2ddbd9
7 changed files with 32 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/handlers/handlers.go
View File

@@ -625,22 +625,20 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
log.Debug().Msg("Got user")
// Get email
email, ok := user["email"].(string)
if !ok {
log.Error().Msg("Failed to get email from user")
// Check that email is not empty
if user.Email == "" {
log.Warn().Msg("Email is empty")
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
return
}
// Email is not whitelisted
if !h.Auth.EmailWhitelisted(email) {
log.Warn().Str("email", email).Msg("Email not whitelisted")
if !h.Auth.EmailWhitelisted(user.Email) {
log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
// Build query
queries, err := query.Values(types.UnauthorizedQuery{
Username: email,
Username: user.Email,
})
// Handle error
@@ -658,7 +656,7 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
// Create session cookie (also cleans up redirect cookie)
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
Username: email,
Username: user.Email,
Provider: providerName.Provider,
})