backport sync with v0.37.4

2026-05-19 06:11:43 -04:00 · 2026-04-27 08:02:07 +03:00
parent d239adcc0b
commit b2de05e0a4
2 changed files with 16 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,8 @@
 ## v0.22.42

- (_Backported from v0.37.4_) Adjusted Bitbucket, GitHub and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
-    _The providers also now always send a sepatate emails list internal request since it contains more information about the fetched email than the userinfo endpoint in order to minimize eventual linking security issues caused by custom onpremise setups (e.g. Gitea/Forgejo allows skipping the emails verification if an ENV variable is configured)._
+- (_Backported from v0.37.4_) Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references.
+    _In case the userinfo data is not sufficient, some of the providers now send a sepatate list emails request in order to minimize eventual linking security issues caused by custom onpremise setups (e.g. Gitea/Forgejo allows skipping the email verification if an ENV variable is configured)._
+

 - (_Backported from v0.37.4_) ⚠️ Fixed a pre-hijacking OAuth2 linking vulnerability ([#7662](https://github.com/pocketbase/pocketbase/discussions/7662)).

--- a/tools/auth/gitlab.go
+++ b/tools/auth/gitlab.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"strconv"
+	"time"

 	"github.com/pocketbase/pocketbase/tools/types"
 	"golang.org/x/oauth2"
@@ -34,7 +35,7 @@ func NewGitlabProvider() *Gitlab {

 // FetchAuthUser returns an AuthUser instance based the Gitlab's user api.
 //
-// API reference: https://docs.gitlab.com/ee/api/users.html#for-admin
+// API reference: https://docs.gitlab.com/api/users/#retrieve-the-current-user
 func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 	data, err := p.FetchRawUserData(token)
 	if err != nil {
@@ -47,11 +48,12 @@ func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 	}

 	extracted := struct {
-		Id        int    `json:"id"`
-		Name      string `json:"name"`
-		Username  string `json:"username"`
-		Email     string `json:"email"`
-		AvatarUrl string `json:"avatar_url"`
+		Id          int    `json:"id"`
+		Name        string `json:"name"`
+		Username    string `json:"username"`
+		Email       string `json:"email"`
+		AvatarUrl   string `json:"avatar_url"`
+		ConfirmedAt string `json:"confirmed_at"`
 	}{}
 	if err := json.Unmarshal(data, &extracted); err != nil {
 		return nil, err
@@ -61,7 +63,6 @@ func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
 		Id:           strconv.Itoa(extracted.Id),
 		Name:         extracted.Name,
 		Username:     extracted.Username,
-		Email:        extracted.Email,
 		AvatarUrl:    extracted.AvatarUrl,
 		RawUser:      rawUser,
 		AccessToken:  token.AccessToken,
@@ -70,5 +71,10 @@ func (p *Gitlab) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {

 	user.Expiry, _ = types.ParseDateTime(token.Expiry)

+	confirmedAt, err := time.Parse(time.RFC3339, extracted.ConfirmedAt)
+	if err == nil && !confirmedAt.IsZero() {
+		user.Email = extracted.Email
+	}
+
 	return user, nil
 }