From 6dd3478ff94c937dd7e0edee4e27ff8545462f19 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 21 Apr 2023 00:07:02 +0200 Subject: [PATCH] fix: abort if oauth user info is invalid --- backend/routes/auth/discord.go | 10 ++++++++++ backend/routes/auth/fedi_mastodon.go | 10 ++++++++++ backend/routes/auth/fedi_misskey.go | 10 ++++++++++ backend/routes/auth/google.go | 10 ++++++++++ backend/routes/auth/tumblr.go | 10 ++++++++++ 5 files changed, 50 insertions(+) diff --git a/backend/routes/auth/discord.go b/backend/routes/auth/discord.go index 7ef3b04..34b0f93 100644 --- a/backend/routes/auth/discord.go +++ b/backend/routes/auth/discord.go @@ -193,6 +193,11 @@ func (s *Server) discordLink(w http.ResponseWriter, r *http.Request) error { return server.APIError{Code: server.ErrInvalidTicket} } + if du.ID == "" { + log.Errorf("linking user with id %v: discord user ID was empty", claims.UserID) + return server.APIError{Code: server.ErrInternalServerError, Details: "Discord user ID is empty"} + } + err = u.UpdateFromDiscord(ctx, s.DB, du) if err != nil { return errors.Wrap(err, "updating user from discord") @@ -302,6 +307,11 @@ func (s *Server) discordSignup(w http.ResponseWriter, r *http.Request) error { return errors.Wrap(err, "creating user") } + if du.ID == "" { + log.Errorf("creating user with name %q: user ID was empty", req.Username) + return server.APIError{Code: server.ErrInternalServerError, Details: "Discord user ID is empty"} + } + err = u.UpdateFromDiscord(ctx, tx, du) if err != nil { return errors.Wrap(err, "updating user from discord") diff --git a/backend/routes/auth/fedi_mastodon.go b/backend/routes/auth/fedi_mastodon.go index aece379..85bab13 100644 --- a/backend/routes/auth/fedi_mastodon.go +++ b/backend/routes/auth/fedi_mastodon.go @@ -220,6 +220,11 @@ func (s *Server) mastodonLink(w http.ResponseWriter, r *http.Request) error { return server.APIError{Code: server.ErrInvalidTicket} } + if mu.ID == "" { + log.Errorf("linking user with id %v: user ID was empty", claims.UserID) + return server.APIError{Code: server.ErrInternalServerError, Details: "Mastodon user ID is empty"} + } + err = u.UpdateFromFedi(ctx, s.DB, mu.ID, mu.Username, app.ID) if err != nil { return errors.Wrap(err, "updating user from mastoAPI") @@ -330,6 +335,11 @@ func (s *Server) mastodonSignup(w http.ResponseWriter, r *http.Request) error { return errors.Wrap(err, "creating user") } + if mu.ID == "" { + log.Errorf("creating user with name %q: user ID was empty", req.Username) + return server.APIError{Code: server.ErrInternalServerError, Details: "Mastodon user ID is empty"} + } + err = u.UpdateFromFedi(ctx, tx, mu.ID, mu.Username, app.ID) if err != nil { return errors.Wrap(err, "updating user from mastoAPI") diff --git a/backend/routes/auth/fedi_misskey.go b/backend/routes/auth/fedi_misskey.go index 9d869ad..69b0d94 100644 --- a/backend/routes/auth/fedi_misskey.go +++ b/backend/routes/auth/fedi_misskey.go @@ -195,6 +195,11 @@ func (s *Server) misskeyLink(w http.ResponseWriter, r *http.Request) error { return server.APIError{Code: server.ErrInvalidTicket} } + if mu.ID == "" { + log.Errorf("linking user with id %v: user ID was empty", claims.UserID) + return server.APIError{Code: server.ErrInternalServerError, Details: "Misskey user ID is empty"} + } + err = u.UpdateFromFedi(ctx, s.DB, mu.ID, mu.Username, app.ID) if err != nil { return errors.Wrap(err, "updating user from misskey") @@ -260,6 +265,11 @@ func (s *Server) misskeySignup(w http.ResponseWriter, r *http.Request) error { return errors.Wrap(err, "creating user") } + if mu.ID == "" { + log.Errorf("creating user with name %q: user ID was empty", req.Username) + return server.APIError{Code: server.ErrInternalServerError, Details: "Misskey user ID is empty"} + } + err = u.UpdateFromFedi(ctx, tx, mu.ID, mu.Username, app.ID) if err != nil { return errors.Wrap(err, "updating user from misskey") diff --git a/backend/routes/auth/google.go b/backend/routes/auth/google.go index d28b48b..9edb21e 100644 --- a/backend/routes/auth/google.go +++ b/backend/routes/auth/google.go @@ -208,6 +208,11 @@ func (s *Server) googleLink(w http.ResponseWriter, r *http.Request) error { return server.APIError{Code: server.ErrInvalidTicket} } + if gu.ID == "" { + log.Errorf("linking user with id %v: user ID was empty", claims.UserID) + return server.APIError{Code: server.ErrInternalServerError, Details: "Google user ID is empty"} + } + err = u.UpdateFromGoogle(ctx, s.DB, gu.ID, gu.Email) if err != nil { return errors.Wrap(err, "updating user from google") @@ -306,6 +311,11 @@ func (s *Server) googleSignup(w http.ResponseWriter, r *http.Request) error { return errors.Wrap(err, "creating user") } + if gu.ID == "" { + log.Errorf("creating user with name %q: user ID was empty", req.Username) + return server.APIError{Code: server.ErrInternalServerError, Details: "Google user ID is empty"} + } + err = u.UpdateFromGoogle(ctx, tx, gu.ID, gu.Email) if err != nil { return errors.Wrap(err, "updating user from google") diff --git a/backend/routes/auth/tumblr.go b/backend/routes/auth/tumblr.go index 22ee4e4..8fdddf1 100644 --- a/backend/routes/auth/tumblr.go +++ b/backend/routes/auth/tumblr.go @@ -241,6 +241,11 @@ func (s *Server) tumblrLink(w http.ResponseWriter, r *http.Request) error { return server.APIError{Code: server.ErrInvalidTicket} } + if tui.ID == "" { + log.Errorf("linking user with id %v: user ID was empty", claims.UserID) + return server.APIError{Code: server.ErrInternalServerError, Details: "Tumblr user ID is empty"} + } + err = u.UpdateFromTumblr(ctx, s.DB, tui.ID, tui.Name) if err != nil { return errors.Wrap(err, "updating user from tumblr") @@ -339,6 +344,11 @@ func (s *Server) tumblrSignup(w http.ResponseWriter, r *http.Request) error { return errors.Wrap(err, "creating user") } + if tui.ID == "" { + log.Errorf("creating user with name %q: user ID was empty", req.Username) + return server.APIError{Code: server.ErrInternalServerError, Details: "Tumblr user ID is empty"} + } + err = u.UpdateFromTumblr(ctx, tx, tui.ID, tui.Name) if err != nil { return errors.Wrap(err, "updating user from tumblr")