fix(oidc): parse right claims for GitHub authentication

Before this change the authentication via GitHub always errored out within getProfileNameFromEmail because the rune list had a zero length, after my investigation I have been able to pin it down to a lacking email address fetched from the GitHub provider. Since there are various claims like the username, email and fullname which aren't part of the generated claims I have added a switch to properly read all relevant information from the right claims within the GitHub provider. This commit is still lacking proper error display on the login page, but this should be added on another commit in general.
semaphoreui · Jan 29, 2024 · 1431a0a · 1431a0a
1 parent 8d84d5a
commit 1431a0a
Showing 1 changed file with 36 additions and 7 deletions.
diff --git a/api/login.go b/api/login.go
@@ -421,6 +421,10 @@ func getProfileNameFromEmail(email string) string {
 
 	runes := []rune(username)
 
+	if len(runes) == 0 {
+		return ""
+	}
+
 	runes[0] = []rune(strings.ToUpper(string(runes[0])))[0]
 
 	return string(runes)
@@ -484,13 +488,38 @@ func oidcRedirect(w http.ResponseWriter, r *http.Request) {
 		userInfo, err = _oidc.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
 
 		if err == nil {
-			claims.email = userInfo.Email
-			claims.username = getUsernameFromEmail(claims.email)
-
-			if userInfo.Profile != "" {
-				claims.name = userInfo.Profile
-			} else {
-				claims.name = getProfileNameFromEmail(claims.email)
+			switch pid {
+			case "github":
+				type githubClaims struct {
+					Login string `json:"login"`
+					Email string `json:"email"`
+					Name  string `json:"name"`
+				}
+
+				var rawClaims githubClaims
+
+				if err := userInfo.Claims(&rawClaims); err != nil {
+					log.Error(err.Error())
+					http.Redirect(w, r, "/auth/login", http.StatusTemporaryRedirect)
+					return
+				}
+
+				claims.email = rawClaims.Email
+				claims.username = rawClaims.Login
+				claims.name = rawClaims.Name
+
+				if claims.email == "" {
+					claims.email = fmt.Sprintf("%[email protected]", rawClaims.Login)
+				}
+			default:
+				claims.email = userInfo.Email
+				claims.username = getUsernameFromEmail(claims.email)
+
+				if userInfo.Profile != "" {
+					claims.name = userInfo.Profile
+				} else {
+					claims.name = getProfileNameFromEmail(claims.email)
+				}
 			}
 		}
 	}