From 50df9495207c159582afa8f8724f6c4acb2d243f Mon Sep 17 00:00:00 2001 From: Amir Zarrinkafsh Date: Mon, 16 Nov 2020 22:22:16 +1100 Subject: [PATCH] [BUGFIX] Prevent crash when email has not been set (#1466) * [BUGFIX] Prevent crash when email has not been set https://github.com/authelia/authelia/commit/a83ccd71887cb843adce10fe14d630fbf3ac9bec introduced a regression where if a misconfigured deployment presented an empty emails array setting `Remote-*` headers would fail. If the emails array is empty we now set the `Remote-Email` header to an empty string. * Add additional case for unit tests --- internal/handlers/handler_verify.go | 7 ++++++- internal/handlers/handler_verify_test.go | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/internal/handlers/handler_verify.go b/internal/handlers/handler_verify.go index 961f87c2..407469b5 100644 --- a/internal/handlers/handler_verify.go +++ b/internal/handlers/handler_verify.go @@ -159,7 +159,12 @@ func setForwardedHeaders(headers *fasthttp.ResponseHeader, username, name string headers.Set(remoteUserHeader, username) headers.Set(remoteGroupsHeader, strings.Join(groups, ",")) headers.Set(remoteNameHeader, name) - headers.Set(remoteEmailHeader, emails[0]) + + if emails != nil { + headers.Set(remoteEmailHeader, emails[0]) + } else { + headers.Set(remoteEmailHeader, "") + } } } diff --git a/internal/handlers/handler_verify_test.go b/internal/handlers/handler_verify_test.go index 06cfb744..88e9a0d5 100644 --- a/internal/handlers/handler_verify_test.go +++ b/internal/handlers/handler_verify_test.go @@ -413,6 +413,26 @@ func TestShouldVerifyFailingDetailsFetchingInBasicAuth(t *testing.T) { "https://test.example.com", actualStatus, expStatus) } +func TestShouldNotCrashOnEmptyEmail(t *testing.T) { + mock := mocks.NewMockAutheliaCtx(t) + defer mock.Close() + + userSession := mock.Ctx.GetSession() + userSession.Username = testUsername + userSession.Emails = nil + userSession.AuthenticationLevel = authentication.OneFactor + mock.Ctx.SaveSession(userSession) //nolint:errcheck // TODO: Legacy code, consider refactoring time permitting. + + mock.Ctx.Request.Header.Set("X-Original-URL", "https://bypass.example.com") + + VerifyGet(verifyGetCfg)(mock.Ctx) + + expStatus, actualStatus := 200, mock.Ctx.Response.StatusCode() + assert.Equal(t, expStatus, actualStatus, "URL=%s -> StatusCode=%d != ExpectedStatusCode=%d", + "https://bypass.example.com", actualStatus, expStatus) + assert.Equal(t, []byte(nil), mock.Ctx.Response.Header.Peek("Remote-Email")) +} + type Pair struct { URL string Username string