🐛 Add missing email scope to OIDC backend.

And additionaly emit a warn log message about the error.
2025-03-18 02:32:13 -05:00 · 2021-05-27 11:37:31 +02:00 · 2021-05-27 11:37:31 +02:00 · e8919ee340
commit e8919ee340
parent f8f506a8be
3 changed files with 18 additions and 4 deletions
--- a/backend/src/app/http/oauth.clj
+++ b/backend/src/app/http/oauth.clj
@ -109,6 +109,17 @@
               :cause e)
      nil)))

+(s/def ::backend ::us/not-empty-string)
+(s/def ::email ::us/not-empty-string)
+(s/def ::fullname ::us/not-empty-string)
+(s/def ::props (s/map-of ::us/keyword any?))
+
+(s/def ::info
+  (s/keys :req-un [::backend
+                   ::email
+                   ::fullname
+                   ::props]))
+
 (defn retrieve-info
  [{:keys [tokens provider] :as cfg} request]
  (let [state  (get-in request [:params :state])
@ -116,7 +127,10 @@
        info   (some->> (get-in request [:params :code])
                        (retrieve-access-token cfg)
                        (retrieve-user-info cfg))]
-    (when-not info
+
+    (when-not (s/valid? ::info info)
+      (l/warn :hint "received incomplete profile info object (please set correct scopes)"
+              :info (pr-str info))
      (ex/raise :type :internal
                :code :unable-to-auth
                :hint "no user info"))
@ -236,7 +250,7 @@
              :token-uri     (cf/get :oidc-token-uri)
              :auth-uri      (cf/get :oidc-auth-uri)
              :user-uri      (cf/get :oidc-user-uri)
-              :scopes        (cf/get :oidc-scopes #{"openid" "profile"})
+              :scopes        (cf/get :oidc-scopes #{"openid" "profile" "email"})
              :roles-attr    (cf/get :oidc-roles-attr)
              :roles         (cf/get :oidc-roles)
              :name          "oidc"}]
--- a/docker/images/config.env
+++ b/docker/images/config.env
@ -42,7 +42,7 @@ PENPOT_REGISTRATION_ENABLED=true

 # Comma separated list of allowed domains to register. Empty for allow
 # all.
-PENPOT_REGISTRATION_DOMAIN_WHITELIST=""
+# PENPOT_REGISTRATION_DOMAIN_WHITELIST=""

 # Penpot comes with the facility to create quick demo users that are
 # automatically deleted after some time. This settings enables or
--- a/docker/images/files/nginx-entrypoint.sh
+++ b/docker/images/files/nginx-entrypoint.sh
@ -97,7 +97,7 @@ update_registration_enabled() {
  fi
 }

-update_registration_enabled() {
+update_analytics_enabled() {
  if [ -n "$PENPOT_ANALYTICS_ENABLED" ]; then
    sed -i \
      -e "s|^//var penpotAnalyticsEnabled = .*;|var penpotAnalyticsEnabled = $PENPOT_ANALYTICS_ENABLED;|g" \