From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Thu, 4 May 2023 12:44:15 +0000 (+0300)
Subject: lib-oauth2: Return failure instead of crash with invalid or missing token
X-Git-Tag: 2.3.21~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3db58fd809901b52a75d18fea9db4d30ceaafdaa;p=thirdparty%2Fdovecot%2Fcore.git

lib-oauth2: Return failure instead of crash with invalid or missing token
---

diff --git a/src/lib-oauth2/oauth2-request.c b/src/lib-oauth2/oauth2-request.c
index 032eff1630..af3e72f57c 100644
--- a/src/lib-oauth2/oauth2-request.c
+++ b/src/lib-oauth2/oauth2-request.c
@@ -159,6 +159,16 @@ oauth2_request_response(const struct http_response *response,
 	oauth2_request_parse_json(req);
 }
 
+static void
+oauth2_request_fail(struct oauth2_request *req)
+{
+	struct oauth2_request_result res = {
+		.error = "No token provided",
+		.valid = FALSE,
+	};
+	oauth2_request_callback(req, &res);
+}
+
 static void
 oauth2_request_set_headers(struct oauth2_request *req,
 			   const struct oauth2_request_input *input)
@@ -198,8 +208,6 @@ oauth2_request_start(const struct oauth2_settings *set,
 		     const string_t *payload,
 		     bool add_auth_bearer)
 {
-	i_assert(oauth2_valid_token(input->token));
-
 	pool_t pool = (p == NULL) ?
 		pool_alloconly_create_clean("oauth2 request", 1024) : p;
 	struct oauth2_request *req =
@@ -210,6 +218,12 @@ oauth2_request_start(const struct oauth2_settings *set,
 	req->req_callback = callback;
 	req->req_context = context;
 
+	if (!oauth2_valid_token(input->token)) {
+		req->to_delayed_error =
+			timeout_add_short(0, oauth2_request_fail, req);
+		return req;
+	}
+
 	req->req = http_client_request_url_str(req->set->client, method, url,
 					       oauth2_request_response, req);