Fix missing email validation in OIDC exchange.

This commit is contained in:
Kailash Nadh 2024-10-20 23:49:59 +05:30
parent 13222b5eb9
commit e7109daaf3
2 changed files with 16 additions and 1 deletions

View file

@ -1,7 +1,9 @@
package main
import (
"errors"
"net/http"
"net/mail"
"net/url"
"strings"
"time"
@ -90,8 +92,20 @@ func handleOIDCFinish(c echo.Context) error {
return renderLoginPage(c, err)
}
// Validate e-mail from the claim.
email := strings.TrimSpace(claims.Email)
if email == "" {
return renderLoginPage(c, errors.New(app.i18n.Ts("globals.messages.invalidFields", "name", "email")))
}
em, err := mail.ParseAddress(email)
if err != nil {
return renderLoginPage(c, err)
}
email = strings.ToLower(em.Address)
// Get the user by e-mail received from OIDC.
user, err := app.core.GetUser(0, "", claims.Email)
user, err := app.core.GetUser(0, "", email)
if err != nil {
return renderLoginPage(c, err)
}

View file

@ -1132,6 +1132,7 @@ FROM users
WHERE
(
CASE
-- either filter one row by id/username/text OR match all rows.
WHEN $1::INT != 0 THEN users.id = $1
WHEN $2::TEXT != '' THEN username = $2
WHEN $3::TEXT != '' THEN email = $3