From 88761db2b104ea8b4cbd6bcb72b9f09720cdd936 Mon Sep 17 00:00:00 2001 From: kolaente Date: Wed, 22 Jan 2025 09:45:14 +0100 Subject: [PATCH] fix(auth): check for existence of field before casting Resolves https://vikunja.sentry.io/share/issue/6a21a679011a40b290ac531dd96c2adc/ --- pkg/user/user.go | 76 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 25 deletions(-) diff --git a/pkg/user/user.go b/pkg/user/user.go index 73014f1cc..1733e7f75 100644 --- a/pkg/user/user.go +++ b/pkg/user/user.go @@ -444,43 +444,69 @@ func GetCurrentUser(c echo.Context) (user *User, err error) { // GetUserFromClaims Returns a new user from jwt claims func GetUserFromClaims(claims jwt.MapClaims) (user *User, err error) { - userID, ok := claims["id"].(float64) - if !ok { - return user, &ErrInvalidClaimData{ - Field: "id", - Type: reflect.TypeOf(claims["id"]).String(), - } + userID, err := getClaimAsInt(claims, "id") + if err != nil { + return nil, err } - email, ok := claims["email"].(string) - if !ok { - return nil, &ErrInvalidClaimData{ - Field: "email", - Type: reflect.TypeOf(claims["email"]).String(), - } + email, err := getClaimAsString(claims, "email") + if err != nil { + return nil, err } - username, ok := claims["username"].(string) - if !ok { - return nil, &ErrInvalidClaimData{ - Field: "username", - Type: reflect.TypeOf(claims["username"]).String(), - } + username, err := getClaimAsString(claims, "username") + if err != nil { + return nil, err } - name, ok := claims["name"].(string) - if !ok { - return nil, &ErrInvalidClaimData{ - Field: "name", - Type: reflect.TypeOf(claims["name"]).String(), - } + name, err := getClaimAsString(claims, "name") + if err != nil { + return nil, err } return &User{ - ID: int64(userID), + ID: userID, Email: email, Username: username, Name: name, }, nil } +func getClaimAsInt(claims jwt.MapClaims, field string) (int64, error) { + _, exists := claims[field] + if !exists { + return 0, &ErrInvalidClaimData{ + Field: field, + Type: "missing", + } + } + + value, ok := claims[field].(float64) + if !ok { + return 0, &ErrInvalidClaimData{ + Field: field, + Type: reflect.TypeOf(claims[field]).String(), + } + } + return int64(value), nil +} + +func getClaimAsString(claims jwt.MapClaims, field string) (string, error) { + _, exists := claims[field] + if !exists { + return "", &ErrInvalidClaimData{ + Field: field, + Type: "missing", + } + } + + value, ok := claims[field].(string) + if !ok { + return "", &ErrInvalidClaimData{ + Field: field, + Type: reflect.TypeOf(claims[field]).String(), + } + } + return value, nil +} + // UpdateUser updates a user func UpdateUser(s *xorm.Session, user *User, forceOverride bool) (updatedUser *User, err error) {