mirror of
https://github.com/knadh/listmonk.git
synced 2025-10-03 20:06:37 +08:00
Fix missing email validation in OIDC exchange.
This commit is contained in:
parent
13222b5eb9
commit
e7109daaf3
2 changed files with 16 additions and 1 deletions
16
cmd/auth.go
16
cmd/auth.go
|
@ -1,7 +1,9 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/mail"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
|
@ -90,8 +92,20 @@ func handleOIDCFinish(c echo.Context) error {
|
|||
return renderLoginPage(c, err)
|
||||
}
|
||||
|
||||
// Validate e-mail from the claim.
|
||||
email := strings.TrimSpace(claims.Email)
|
||||
if email == "" {
|
||||
return renderLoginPage(c, errors.New(app.i18n.Ts("globals.messages.invalidFields", "name", "email")))
|
||||
}
|
||||
|
||||
em, err := mail.ParseAddress(email)
|
||||
if err != nil {
|
||||
return renderLoginPage(c, err)
|
||||
}
|
||||
email = strings.ToLower(em.Address)
|
||||
|
||||
// Get the user by e-mail received from OIDC.
|
||||
user, err := app.core.GetUser(0, "", claims.Email)
|
||||
user, err := app.core.GetUser(0, "", email)
|
||||
if err != nil {
|
||||
return renderLoginPage(c, err)
|
||||
}
|
||||
|
|
|
@ -1132,6 +1132,7 @@ FROM users
|
|||
WHERE
|
||||
(
|
||||
CASE
|
||||
-- either filter one row by id/username/text OR match all rows.
|
||||
WHEN $1::INT != 0 THEN users.id = $1
|
||||
WHEN $2::TEXT != '' THEN username = $2
|
||||
WHEN $3::TEXT != '' THEN email = $3
|
||||
|
|
Loading…
Add table
Reference in a new issue