From: Stephan Bosch <stephan.bosch@open-xchange.com>
Date: Fri, 28 Feb 2025 01:11:31 +0000 (+0100)
Subject: auth: mech-oauth2 - Properly handle PASSDB_RESULT_USER_UNKNOWN result from token... 
X-Git-Tag: 2.4.2~345
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=649b28f2efcb9554760817a0a5f87ee980018968;p=thirdparty%2Fdovecot%2Fcore.git

auth: mech-oauth2 - Properly handle PASSDB_RESULT_USER_UNKNOWN result from token verification
---

diff --git a/src/auth/mech-oauth2.c b/src/auth/mech-oauth2.c
index 75ff5f0c96..b9c6608b41 100644
--- a/src/auth/mech-oauth2.c
+++ b/src/auth/mech-oauth2.c
@@ -68,9 +68,7 @@ static void oauth2_fail_invalid_token(struct oauth2_auth_request *oauth2_req)
 }
 
 static void
-oauth2_verify_callback(enum passdb_result result,
-		       const unsigned char *credentials ATTR_UNUSED,
-		       size_t size ATTR_UNUSED, struct auth_request *request)
+oauth2_verify_finish(enum passdb_result result, struct auth_request *request)
 {
 	struct oauth2_auth_request *oauth2_req =
 		container_of(request, struct oauth2_auth_request, auth);
@@ -84,12 +82,12 @@ oauth2_verify_callback(enum passdb_result result,
 		/* user is explicitly disabled, don't allow it to log in */
 		oauth2_fail(oauth2_req, "insufficient_scope");
 		break;
+	case PASSDB_RESULT_USER_UNKNOWN:
 	case PASSDB_RESULT_PASSWORD_MISMATCH:
 		oauth2_fail(oauth2_req, "invalid_token");
 		break;
 	case PASSDB_RESULT_NEXT:
 	case PASSDB_RESULT_SCHEME_NOT_AVAILABLE:
-	case PASSDB_RESULT_USER_UNKNOWN:
 	case PASSDB_RESULT_OK:
 		/* sending success */
 		auth_request_success(request, "", 0);
@@ -99,6 +97,16 @@ oauth2_verify_callback(enum passdb_result result,
 	}
 }
 
+static void
+oauth2_verify_callback(enum passdb_result result,
+		       const unsigned char *credentials ATTR_UNUSED,
+		       size_t size ATTR_UNUSED, struct auth_request *request)
+{
+	if (result == PASSDB_RESULT_USER_UNKNOWN)
+		result = PASSDB_RESULT_OK;
+	oauth2_verify_finish(result, request);
+}
+
 static void
 mech_oauth2_verify_token_continue(struct oauth2_auth_request *oauth2_req,
 				  const char *const *args)
@@ -136,7 +144,7 @@ mech_oauth2_verify_token_continue(struct oauth2_auth_request *oauth2_req,
 		return;
 	}
 
-	oauth2_verify_callback(result, uchar_empty_ptr, 0, request);
+	oauth2_verify_finish(result, request);
 	auth_request_unref(&request);
 }
 
@@ -172,7 +180,7 @@ mech_oauth2_verify_token_local_continue(struct db_oauth2_request *db_req,
 	} else {
 		e_info(request->mech_event, "oauth2 failed: %s", error);
 	}
-	oauth2_verify_callback(result, uchar_empty_ptr, 0, request);
+	oauth2_verify_finish(result, request);
 	auth_request_unref(&request);
 	pool_unref(&db_req->pool);
 }