From dddb0a029fc6d5aaf7cc04bb70efcdceabaa9f5b Mon Sep 17 00:00:00 2001 From: Gani Georgiev Date: Sat, 25 Apr 2026 17:51:20 +0300 Subject: [PATCH] updated bitbucket,github and gitea oauth2 providers --- CHANGELOG.md | 4 +++ tools/auth/bitbucket.go | 7 +++-- tools/auth/gitea.go | 70 +++++++++++++++++++++++++++++++++++++---- tools/auth/github.go | 27 +++++++--------- 4 files changed, 84 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fd2ed34..7dfa5fd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,10 @@ - Fixed autocomplete selection not properly updating the underlying input value ([#7664](https://github.com/pocketbase/pocketbase/issues/7664)). +- Adjusted Bitbucket, GitHub and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references. + _The providers also now always send an extra emails_list request to fetch only the explicitly verified primary email in order to eliminate eventual security issues caused by misconfigured onpremise setups._ + + ## v0.37.3 diff --git a/tools/auth/bitbucket.go b/tools/auth/bitbucket.go index e0b0a5b0..05ffa29c 100644 --- a/tools/auth/bitbucket.go +++ b/tools/auth/bitbucket.go @@ -120,8 +120,9 @@ func (p *Bitbucket) fetchPrimaryEmail(token *oauth2.Token) (string, error) { expected := struct { Values []struct { - Email string `json:"email"` - IsPrimary bool `json:"is_primary"` + Email string `json:"email"` + IsPrimary bool `json:"is_primary"` + IsConfirmed bool `json:"is_confirmed"` } `json:"values"` }{} if err := json.Unmarshal(data, &expected); err != nil { @@ -129,7 +130,7 @@ func (p *Bitbucket) fetchPrimaryEmail(token *oauth2.Token) (string, error) { } for _, v := range expected.Values { - if v.IsPrimary { + if v.IsPrimary && v.IsConfirmed { return v.Email, nil } } diff --git a/tools/auth/gitea.go b/tools/auth/gitea.go index 5f8f4b81..057e9864 100644 --- a/tools/auth/gitea.go +++ b/tools/auth/gitea.go @@ -3,6 +3,9 @@ package auth import ( "context" "encoding/json" + "errors" + "fmt" + "io" "strconv" "github.com/pocketbase/pocketbase/tools/types" @@ -15,10 +18,10 @@ func init() { var _ Provider = (*Gitea)(nil) -// NameGitea is the unique name of the Gitea provider. +// NameGitea is the unique name of the Gitea/Forgejo provider. const NameGitea string = "gitea" -// Gitea allows authentication via Gitea OAuth2. +// Gitea allows authentication via Gitea/Forgejo OAuth2. type Gitea struct { BaseProvider } @@ -38,9 +41,9 @@ func NewGiteaProvider() *Gitea { }} } -// FetchAuthUser returns an AuthUser instance based on Gitea's user api. +// FetchAuthUser returns an AuthUser instance based on Gitea/Forgejo's user api. // -// API reference: https://try.gitea.io/api/swagger#/user/userGetCurrent +// API reference: https://codeberg.org/api/swagger#/user/userGetCurrent func (p *Gitea) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) { data, err := p.FetchRawUserInfo(token) if err != nil { @@ -55,26 +58,81 @@ func (p *Gitea) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) { extracted := struct { Name string `json:"full_name"` Username string `json:"login"` - Email string `json:"email"` AvatarURL string `json:"avatar_url"` Id int64 `json:"id"` + Active bool `json:"active"` }{} if err := json.Unmarshal(data, &extracted); err != nil { return nil, err } + if !extracted.Active { + return nil, errors.New("user account is not active") + } + user := &AuthUser{ Id: strconv.FormatInt(extracted.Id, 10), Name: extracted.Name, Username: extracted.Username, - Email: extracted.Email, AvatarURL: extracted.AvatarURL, RawUser: rawUser, AccessToken: token.AccessToken, RefreshToken: token.RefreshToken, } + email, err := p.fetchVerifiedPrimaryEmail(token) + if err != nil { + return nil, fmt.Errorf("failed to fetch primary email: %w", err) + } + user.Email = email + user.Expiry, _ = types.ParseDateTime(token.Expiry) return user, nil } + +// fetchVerifiedPrimaryEmail sends an API request to retrieve the verified +// primary email, in case "Keep my email address private" was set. +// +// NB! This method can succeed and still return an empty email. +// Error responses that are result of insufficient scopes permissions are ignored. +// +// API reference: https://codeberg.org/api/swagger#/user/userListEmails +func (p *Gitea) fetchVerifiedPrimaryEmail(token *oauth2.Token) (string, error) { + client := p.Client(token) + + response, err := client.Get(p.userInfoURL + "/emails") + if err != nil { + return "", err + } + defer response.Body.Close() + + // ignore common http errors caused by insufficient scope permissions + // (the email field is optional, aka. return the auth user without it) + if response.StatusCode == 401 || response.StatusCode == 403 || response.StatusCode == 404 { + return "", nil + } + + content, err := io.ReadAll(response.Body) + if err != nil { + return "", err + } + + emails := []struct { + Email string + Verified bool + Primary bool + }{} + if err := json.Unmarshal(content, &emails); err != nil { + return "", err + } + + // extract the verified primary email + for _, email := range emails { + if email.Verified && email.Primary { + return email.Email, nil + } + } + + return "", nil +} diff --git a/tools/auth/github.go b/tools/auth/github.go index b3b80837..b8d858ef 100644 --- a/tools/auth/github.go +++ b/tools/auth/github.go @@ -42,7 +42,7 @@ func NewGithubProvider() *Github { // FetchAuthUser returns an AuthUser instance based the Github's user api. // -// API reference: https://docs.github.com/en/rest/reference/users#get-the-authenticated-user +// API reference: https://docs.github.com/en/rest/users/users?apiVersion=2026-03-10#get-the-authenticated-user func (p *Github) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) { data, err := p.FetchRawUserInfo(token) if err != nil { @@ -55,9 +55,8 @@ func (p *Github) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) { } extracted := struct { - Login string `json:"login"` Name string `json:"name"` - Email string `json:"email"` + Login string `json:"login"` AvatarURL string `json:"avatar_url"` Id int64 `json:"id"` }{} @@ -69,7 +68,6 @@ func (p *Github) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) { Id: strconv.FormatInt(extracted.Id, 10), Name: extracted.Name, Username: extracted.Login, - Email: extracted.Email, AvatarURL: extracted.AvatarURL, RawUser: rawUser, AccessToken: token.AccessToken, @@ -78,27 +76,26 @@ func (p *Github) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) { user.Expiry, _ = types.ParseDateTime(token.Expiry) - // in case user has set "Keep my email address private", send an - // **optional** API request to retrieve the verified primary email - if user.Email == "" { - email, err := p.fetchPrimaryEmail(token) - if err != nil { - return nil, err - } - user.Email = email + // always send a primary email request even though the email is + // returned in the userinfo endpoint since the API may change and + // enterprise setups may have configuration that could allow unverified emails + email, err := p.fetchVerifiedPrimaryEmail(token) + if err != nil { + return nil, err } + user.Email = email return user, nil } -// fetchPrimaryEmail sends an API request to retrieve the verified +// fetchVerifiedPrimaryEmail sends an API request to retrieve the verified // primary email, in case "Keep my email address private" was set. // // NB! This method can succeed and still return an empty email. // Error responses that are result of insufficient scopes permissions are ignored. // -// API reference: https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28 -func (p *Github) fetchPrimaryEmail(token *oauth2.Token) (string, error) { +// API reference: https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28#list-email-addresses-for-the-authenticated-user +func (p *Github) fetchVerifiedPrimaryEmail(token *oauth2.Token) (string, error) { client := p.Client(token) response, err := client.Get(p.userInfoURL + "/emails")