Missing user profile attributes for OAuth2 Login lead to an uncaught Exception
heavygale opened this issue · comments
Description
If the application is configured with oauth2 without setting the user profile attributes, a login attempt leads to an exception and the application is terminated.
Steps to reproduce
Set up the application with oauth2 (e.g. using docker), but do not specify these values:
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR
Expected behaviour
If the configuration is incomplete, a login attempt should only result in an error message for the user or the application should deactivate the OAuth2 login method at startup and log a message about the missing parameters.
Logs
app-1 | 2024-02-17T13:40:55.702Z error: uncaughtException: Cannot read properties of undefined (reading 'split')
app-1 | TypeError: Cannot read properties of undefined (reading 'split')
app-1 | at extractProfileAttribute (/hedgedoc/lib/web/auth/oauth2/index.js:46:15)
app-1 | at parseProfile (/hedgedoc/lib/web/auth/oauth2/index.js:57:20)
app-1 | at /hedgedoc/lib/web/auth/oauth2/index.js:107:21
app-1 | at passBackControl (/hedgedoc/node_modules/oauth/lib/oauth2.js:134:9)
app-1 | at IncomingMessage.<anonymous> (/hedgedoc/node_modules/oauth/lib/oauth2.js:157:7)
app-1 | at IncomingMessage.emit (node:events:526:35)
app-1 | at endReadableNT (node:internal/streams/readable:1376:12)
app-1 | at process.processTicksAndRejections (node:internal/process/task_queues:82:21)
app-1 | 2024-02-17T13:40:55.702Z error: An uncaught exception has occured.
app-1 | 2024-02-17T13:40:55.702Z error: Cannot read properties of undefined (reading 'split')
app-1 | 2024-02-17T13:40:55.702Z error: Process will exit now.
Config
Using docker compose environment values for app:
- CMD_OAUTH2_AUTHORIZATION_URL=https://[...]
- CMD_OAUTH2_TOKEN_URL=https://[...]
- CMD_OAUTH2_USER_PROFILE_URL=https://[...]
- CMD_OAUTH2_CLIENT_ID=[...]
- CMD_OAUTH2_CLIENT_SECRET=[...]
- CMD_OAUTH2_PROVIDERNAME=[...]
The following values have not been added to the configuration:
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR
Your Setup
docker compose, using quay.io/hedgedoc/hedgedoc:1.9.9
Additional context
https://github.com/joachimmathes/hedgedoc/blob/master/lib/web/auth/oauth2/index.js#L53-L55