mirror of
https://github.com/immich-app/immich.git
synced 2026-05-18 03:10:24 +03:00
fix(server): collapse OAuth callback messages to prevent email-existence oracle
Two distinct error messages in the OAuth callback endpoint revealed whether an email address was already registered in the database. An attacker controlling the OAuth provider's email claim could probe the user table without authentication. Both cases now return the same generic message.
This commit is contained in:
@@ -351,7 +351,7 @@ describe(`/oauth`, () => {
|
||||
const callbackParams = await loginWithOAuth('oauth-no-auto-register');
|
||||
const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
|
||||
expect(status).toBe(400);
|
||||
expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.'));
|
||||
expect(body).toEqual(errorDto.badRequest('OAuth authentication failed'));
|
||||
});
|
||||
|
||||
it('should link to an existing user by email', async () => {
|
||||
|
||||
@@ -322,7 +322,7 @@ export class AuthService extends BaseService {
|
||||
const emailUser = await this.userRepository.getByEmail(normalizedEmail);
|
||||
if (emailUser) {
|
||||
if (emailUser.oauthId) {
|
||||
throw new BadRequestException('User already exists, but is linked to another account.');
|
||||
throw new BadRequestException('OAuth authentication failed');
|
||||
}
|
||||
user = await this.userRepository.update(emailUser.id, { oauthId: profile.sub });
|
||||
}
|
||||
@@ -334,7 +334,7 @@ export class AuthService extends BaseService {
|
||||
this.logger.warn(
|
||||
`Unable to register ${profile.sub}/${normalizedEmail || '(no email)'}. To enable set OAuth Auto Register to true in admin settings.`,
|
||||
);
|
||||
throw new BadRequestException(`User does not exist and auto registering is disabled.`);
|
||||
throw new BadRequestException('OAuth authentication failed');
|
||||
}
|
||||
|
||||
if (!normalizedEmail) {
|
||||
|
||||
Reference in New Issue
Block a user