Check for invalid responses

DiamondLightSource · Jul 11, 2023 · 2b1bd92 · 2b1bd92
1 parent c57b145
commit 2b1bd92
Showing 1 changed file with 20 additions and 9 deletions.
diff --git a/api/src/Authentication/Type/OIDC.php b/api/src/Authentication/Type/OIDC.php
@@ -19,16 +19,18 @@ function __construct() {
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         $response = curl_exec($ch);
         curl_close($ch);
-
         $newProviderConfig = json_decode($response);
-        $newProviderConfig->b64ClientCreds = base64_encode(
-            $oidc_client_id . ":" . $oidc_client_secret
-        );
 
-        if($newProviderConfig == null) {
+        if(!$newProviderConfig
+            || !isset($newProviderConfig->userinfo_endpoint)
+            || !isset($newProviderConfig->authorization_endpoint) 
+            || !isset($newProviderConfig->token_endpoint)) {
             error_log("OIDC Authentication provider replied with invalid JSON body");
             return;
         }
+        $newProviderConfig->b64ClientCreds = base64_encode(
+            $oidc_client_id . ":" . $oidc_client_secret
+        );
 
         $this->providerConfig = $newProviderConfig;
     }
@@ -43,9 +45,12 @@ private function getUser($token)
         $response = curl_exec($ch);
         curl_close($ch);
 
-        $fedid = json_decode($response)->id;
+        $response_json = json_decode($response);
+        if (!$response_json || !isset($response_json->id)) {
+            return false;
+        }
 
-        return $fedid;
+        return $response_json->id;
     }
 
     function authenticate($login, $password) 
@@ -92,8 +97,14 @@ function authenticateByCode($code)
         curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: Basic ' . $this->providerConfig->b64ClientCreds));
         $response = curl_exec($ch);
         curl_close($ch);
-
-        $token = json_decode($response)->access_token;
+
+        $response_json = json_decode($response);
+        if (!$response_json || !isset($response_json->access_token)) {
+            error_log("Invalid authentication attempt, provider returned invalid response");
+            return false;
+        }        
+
+        $token = $response_json->access_token;
 
         if(!$token) {
             error_log("Invalid authentication attempt, provider returned no access token");