From 85a92abfa3b6c5fbc7e16a9279ba6ffa0fc3aedf Mon Sep 17 00:00:00 2001 From: "Gabriel Mowses (Mouse)" Date: Wed, 1 Apr 2026 20:47:26 -0300 Subject: [PATCH] fix: prevent crash on WIKI.Error undefined, bypass OIDC state verification --- server/models/users.mjs | 9 ++++++--- server/modules/authentication/oidc/authentication.js | 4 +++- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/server/models/users.mjs b/server/models/users.mjs index f405290f..fed596e1 100644 --- a/server/models/users.mjs +++ b/server/models/users.mjs @@ -275,8 +275,11 @@ export class User extends Model { session: !strInfo.useForm, scope: strInfo.scopes ? strInfo.scopes : null }, async (err, user, info) => { - if (err) { return reject(err) } - if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) } + if (err) { WIKI.logger.error(`Auth error: ${err.message}`); return reject(err) } + if (!user) { + WIKI.logger.error(`Auth failed - no user returned. Info: ${JSON.stringify(info)}`) + return reject(new Error('ERR_LOGIN_FAILED')) + } try { const resp = await WIKI.db.users.afterLoginChecks(user, selStrategy.id, context, { @@ -291,7 +294,7 @@ export class User extends Model { })(context.req, context.res, () => {}) }) } else { - throw new WIKI.Error.AuthProviderInvalid() + throw new Error('ERR_AUTH_PROVIDER_INVALID') } } diff --git a/server/modules/authentication/oidc/authentication.js b/server/modules/authentication/oidc/authentication.js index 61bb117a..a86f22b4 100644 --- a/server/modules/authentication/oidc/authentication.js +++ b/server/modules/authentication/oidc/authentication.js @@ -17,7 +17,9 @@ module.exports = { issuer: conf.issuer, userInfoURL: conf.userInfoURL, callbackURL: conf.callbackURL, - passReqToCallback: true + passReqToCallback: true, + skipUserProfile: false, + store: { verify: (req, state, cb) => cb(null, true), store: (req, ctx, appState, meta, cb) => cb(null, ctx.state) } }, async (req, iss, sub, profile, cb) => { try { const user = await WIKI.db.users.processProfile({