From 2522cffa6130cc821b2c7135e12ac1f67035f3b9 Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 14 Jan 2025 16:38:49 +0100 Subject: [PATCH] fix(auth): return proper error when a jwt claim contains wrong data Resolves https://vikunja.sentry.io/share/issue/69b578ccc3794de58cecfc7b8291ae64/ --- pkg/user/error.go | 32 +++++++++++++++++++++++++++++--- pkg/user/user.go | 37 ++++++++++++++++++++++++++++++------- 2 files changed, 59 insertions(+), 10 deletions(-) diff --git a/pkg/user/error.go b/pkg/user/error.go index 2903f193c..3112e5a16 100644 --- a/pkg/user/error.go +++ b/pkg/user/error.go @@ -534,9 +534,7 @@ func (err *ErrUsernameMustNotContainSpaces) HTTPError() web.HTTPError { } // ErrMustNotBeLinkShare represents a "MustNotBeLinkShare" kind of error. -type ErrMustNotBeLinkShare struct { - Username string -} +type ErrMustNotBeLinkShare struct{} // IsErrMustNotBeLinkShare checks if an error is a ErrMustNotBeLinkShare. func IsErrMustNotBeLinkShare(err error) bool { @@ -559,3 +557,31 @@ func (err *ErrMustNotBeLinkShare) HTTPError() web.HTTPError { Message: "You can't do that as a link share.", } } + +// ErrInvalidClaimData represents a "InvalidClaimData" kind of error. +type ErrInvalidClaimData struct { + Field string + Type string +} + +// IsErrInvalidClaimData checks if an error is a ErrInvalidClaimData. +func IsErrInvalidClaimData(err error) bool { + _, ok := err.(*ErrInvalidClaimData) + return ok +} + +func (err *ErrInvalidClaimData) Error() string { + return fmt.Sprintf("invalid claim data for field %s of type %s", err.Field, err.Type) +} + +// ErrCodeInvalidClaimData holds the unique world-error code of this error +const ErrCodeInvalidClaimData = 1024 + +// HTTPError holds the http error description +func (err *ErrInvalidClaimData) HTTPError() web.HTTPError { + return web.HTTPError{ + HTTPCode: http.StatusBadRequest, + Code: ErrCodeInvalidClaimData, + Message: fmt.Sprintf("Invalid claim data for field %s of type %s", err.Field, err.Type), + } +} diff --git a/pkg/user/user.go b/pkg/user/user.go index 2c96dc42b..73014f1cc 100644 --- a/pkg/user/user.go +++ b/pkg/user/user.go @@ -446,16 +446,39 @@ func GetCurrentUser(c echo.Context) (user *User, err error) { func GetUserFromClaims(claims jwt.MapClaims) (user *User, err error) { userID, ok := claims["id"].(float64) if !ok { - return user, ErrCouldNotGetUserID{} + return user, &ErrInvalidClaimData{ + Field: "id", + Type: reflect.TypeOf(claims["id"]).String(), + } } - user = &User{ - ID: int64(userID), - Email: claims["email"].(string), - Username: claims["username"].(string), - Name: claims["name"].(string), + email, ok := claims["email"].(string) + if !ok { + return nil, &ErrInvalidClaimData{ + Field: "email", + Type: reflect.TypeOf(claims["email"]).String(), + } + } + username, ok := claims["username"].(string) + if !ok { + return nil, &ErrInvalidClaimData{ + Field: "username", + Type: reflect.TypeOf(claims["username"]).String(), + } + } + name, ok := claims["name"].(string) + if !ok { + return nil, &ErrInvalidClaimData{ + Field: "name", + Type: reflect.TypeOf(claims["name"]).String(), + } } - return + return &User{ + ID: int64(userID), + Email: email, + Username: username, + Name: name, + }, nil } // UpdateUser updates a user