local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 59 Pull requests 2 Projects 2 Releases Packages 1 Activity Actions

Secrets: return MissingSecret when OIDC values nil to avoid crashes

Browse source
This commit is contained in:
Moritz 2026-02-24 15:07:41 +01:00
parent 4b31578f6c
commit c49758fc46
Signed by: moritz
GPG key ID: 1020A035E5DD0824
1 changed files with 25 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

36
lib/mv/secrets.ex
View file

@ -14,45 +14,59 @@ defmodule Mv.Secrets do
- OIDC_BASE_URL / settings.oidc_base_url
- OIDC_REDIRECT_URI / settings.oidc_redirect_uri
## Usage
This module is automatically called by AshAuthentication when resolving
secrets for the User resource's OIDC strategy.
When a value is nil, returns `{:error, MissingSecret}` so that AshAuthentication
does not crash (e.g. URI.new(nil)) and can redirect to sign-in with an error.
"""
use AshAuthentication.Secret
alias AshAuthentication.Errors.MissingSecret
def secret_for(
[:authentication, :strategies, :oidc, :client_id],
Mv.Accounts.User,
resource,
_opts,
_meth
) do
{:ok, Mv.Config.oidc_client_id()}
secret_or_error(Mv.Config.oidc_client_id(), resource, :client_id)
end
def secret_for(
[:authentication, :strategies, :oidc, :redirect_uri],
Mv.Accounts.User,
resource,
_opts,
_meth
) do
{:ok, Mv.Config.oidc_redirect_uri()}
secret_or_error(Mv.Config.oidc_redirect_uri(), resource, :redirect_uri)
end
def secret_for(
[:authentication, :strategies, :oidc, :client_secret],
Mv.Accounts.User,
resource,
_opts,
_meth
) do
{:ok, Mv.Config.oidc_client_secret()}
secret_or_error(Mv.Config.oidc_client_secret(), resource, :client_secret)
end
def secret_for(
[:authentication, :strategies, :oidc, :base_url],
Mv.Accounts.User,
resource,
_opts,
_meth
) do
{:ok, Mv.Config.oidc_base_url()}
secret_or_error(Mv.Config.oidc_base_url(), resource, :base_url)
end
defp secret_or_error(nil, resource, key) do
path = [:authentication, :strategies, :oidc, key]
{:error, MissingSecret.exception(path: path, resource: resource)}
end
defp secret_or_error(value, resource, key) when is_binary(value) do
if String.trim(value) == "" do
secret_or_error(nil, resource, key)
else
{:ok, value}
end
end
end