diff --git a/server/modules/authentication/github/authentication.js b/server/modules/authentication/github/authentication.js index 49ac7609..aa0fee0e 100644 --- a/server/modules/authentication/github/authentication.js +++ b/server/modules/authentication/github/authentication.js @@ -27,6 +27,14 @@ module.exports = { passport.use(conf.key, new GitHubStrategy(githubConfig, async (req, accessToken, refreshToken, profile, cb) => { try { + WIKI.logger.info(`GitHub OAuth: Processing profile for user ${profile.id || profile.username}`) + + // Ensure email is available - passport-github2 should fetch it automatically with user:email scope + // but we'll log a warning if it's missing + if (!profile.emails || (Array.isArray(profile.emails) && profile.emails.length === 0)) { + WIKI.logger.warn(`GitHub OAuth: No email found in profile for user ${profile.id || profile.username}. Make sure 'user:email' scope is granted.`) + } + const user = await WIKI.models.users.processProfile({ providerKey: req.params.strategy, profile: { @@ -34,9 +42,19 @@ module.exports = { picture: _.get(profile, 'photos[0].value', '') } }) + + WIKI.logger.info(`GitHub OAuth: Successfully authenticated user ${user.email}`) cb(null, user) } catch (err) { - cb(err, null) + WIKI.logger.warn(`GitHub OAuth: Authentication failed for strategy ${req.params.strategy}:`, err) + // Provide more user-friendly error messages + if (err.message && err.message.includes('email')) { + cb(new Error('GitHub authentication failed: Email address is required but not available. Please ensure your GitHub account has a verified email address and grant email access permissions.'), null) + } else if (err instanceof WIKI.Error.AuthAccountBanned) { + cb(err, null) + } else { + cb(new Error(`GitHub authentication failed: ${err.message || 'Unknown error'}`), null) + } } } )) diff --git a/server/modules/authentication/google/authentication.js b/server/modules/authentication/google/authentication.js index 3af03cb2..3c8b17f7 100644 --- a/server/modules/authentication/google/authentication.js +++ b/server/modules/authentication/google/authentication.js @@ -16,9 +16,13 @@ module.exports = { passReqToCallback: true }, async (req, accessToken, refreshToken, profile, cb) => { try { - if (conf.hostedDomain && conf.hostedDomain != profile._json.hd) { - throw new Error('Google authentication should have been performed with domain ' + conf.hostedDomain) + WIKI.logger.info(`Google OAuth: Processing profile for user ${profile.id || profile.displayName}`) + + // Validate hosted domain if configured + if (conf.hostedDomain && profile._json.hd !== conf.hostedDomain) { + throw new Error(`Google authentication failed: User must be from domain ${conf.hostedDomain}, but got ${profile._json.hd || 'unknown'}`) } + const user = await WIKI.models.users.processProfile({ providerKey: req.params.strategy, profile: { @@ -26,9 +30,21 @@ module.exports = { picture: _.get(profile, 'photos[0].value', '') } }) + + WIKI.logger.info(`Google OAuth: Successfully authenticated user ${user.email}`) cb(null, user) } catch (err) { - cb(err, null) + WIKI.logger.warn(`Google OAuth: Authentication failed for strategy ${req.params.strategy}:`, err) + // Provide more user-friendly error messages + if (err.message && err.message.includes('domain')) { + cb(new Error(`Google authentication failed: ${err.message}`), null) + } else if (err.message && err.message.includes('email')) { + cb(new Error('Google authentication failed: Email address is required but not available. Please ensure your Google account has a verified email address.'), null) + } else if (err instanceof WIKI.Error.AuthAccountBanned) { + cb(err, null) + } else { + cb(new Error(`Google authentication failed: ${err.message || 'Unknown error'}`), null) + } } })