Merge pull request #28 from HarperFast/callback-bugfix

better handle provider errors on callback

Author: heskew

src/lib/OAuthProvider.ts

@@ -109,8 +109,20 @@ export class OAuthProvider implements IOAuthProvider {
 		});
 
 		if (!response.ok) {
-			const errorText = await response.text();
-			throw new Error(`Token exchange failed: ${errorText}`);
+			const contentType = response.headers.get('content-type');
+			if (contentType?.includes('application/json')) {
+				try {
+					const errorBody = await response.json();
+					const detail = errorBody.error_description || errorBody.error || response.statusText;
+					throw new Error(`Token exchange failed: ${detail}`);
+				} catch (parseError) {
+					if (parseError instanceof Error && parseError.message.startsWith('Token exchange failed')) throw parseError;
+					// JSON parse failed despite content-type header — fall through to generic error
+				}
+			}
+			// Drain unconsumed body to free the underlying socket (undici connection pool)
+			await response.body?.cancel();
+			throw new Error(`Token exchange failed: provider returned ${response.status} ${response.statusText}`);
 		}
 
 		const contentType = response.headers.get('content-type');
@@ -366,13 +378,24 @@ export class OAuthProvider implements IOAuthProvider {
 		});
 
 		if (!response.ok) {
-			const error = await response.text();
+			const contentType = response.headers.get('content-type');
+			let detail: string = `${response.status} ${response.statusText}`;
+			if (contentType?.includes('application/json')) {
+				try {
+					const errorBody = await response.json();
+					detail = errorBody.error_description || errorBody.error || response.statusText;
+				} catch {
+					// JSON parse failed despite content-type header — use status/statusText
+				}
+			}
+			// Drain unconsumed body to free the underlying socket (undici connection pool)
+			await response.body?.cancel();
 			this.logger?.error?.('Token refresh HTTP error:', {
 				status: response.status,
 				statusText: response.statusText,
-				body: error,
+				detail,
 			});
-			throw new Error(`Token refresh failed: ${error}`);
+			throw new Error(`Token refresh failed: ${detail}`);
 		}
 
 		const contentType = response.headers.get('content-type');

src/lib/handlers.ts

@@ -55,6 +55,21 @@ export function sanitizeRedirect(redirectParam: string): string {
 	}
 }
 
+/**
+ * Build a safe error redirect URL
+ *
+ * Sanitizes the redirect path, then appends error query params using the URL API
+ * so params are always placed before any hash fragment.
+ */
+function buildErrorRedirect(rawUrl: string, params: Record<string, string>): string {
+	const safePath = sanitizeRedirect(rawUrl);
+	const url = new URL(safePath, 'http://localhost');
+	for (const [key, value] of Object.entries(params)) {
+		url.searchParams.set(key, value);
+	}
+	return url.pathname + url.search + url.hash;
+}
+
 /**
  * Handle OAuth login initiation
  */
@@ -74,7 +89,8 @@ export async function handleLogin(
 		redirectParam = sanitizeRedirect(redirectParam);
 	}
 
-	const originalUrl = redirectParam || request.headers?.referer || config.postLoginRedirect || '/';
+	const referer = request.headers?.referer ? sanitizeRedirect(request.headers.referer) : undefined;
+	const originalUrl = redirectParam || referer || config.postLoginRedirect || '/';
 
 	// Generate CSRF token with metadata
 	// Bind token to provider to prevent cross-provider CSRF attacks
@@ -118,9 +134,7 @@ export async function handleCallback(
 	// Handle OAuth errors from provider
 	if (error) {
 		logger?.error?.(`OAuth error: ${error} - ${errorDescription}`);
-		// Redirect to original URL or fallback with error
-		const fallbackUrl = config.postLoginRedirect || '/';
-		const errorUrl = `${fallbackUrl}${fallbackUrl.includes('?') ? '&' : '?'}error=oauth_failed&reason=${encodeURIComponent(error)}`;
+		const errorUrl = buildErrorRedirect(config.postLoginRedirect || '/', { error: 'oauth_failed', reason: error });
 		return {
 			status: 302,
 			headers: {
@@ -132,8 +146,7 @@ export async function handleCallback(
 	// Validate parameters
 	if (!code || !state) {
 		logger?.warn?.('Missing required OAuth callback parameters');
-		const fallbackUrl = config.postLoginRedirect || '/';
-		const errorUrl = `${fallbackUrl}${fallbackUrl.includes('?') ? '&' : '?'}error=invalid_request`;
+		const errorUrl = buildErrorRedirect(config.postLoginRedirect || '/', { error: 'invalid_request' });
 		return {
 			status: 302,
 			headers: {
@@ -163,8 +176,10 @@ export async function handleCallback(
 		);
 		// This could be an attack - redirect back to original URL with error
 		// Do NOT redirect to login endpoint as that would restart OAuth flow
-		const redirectUrl = tokenData.originalUrl || config.postLoginRedirect || '/';
-		const errorUrl = `${redirectUrl}${redirectUrl.includes('?') ? '&' : '?'}error=auth_failed&reason=csrf`;
+		const errorUrl = buildErrorRedirect(tokenData.originalUrl || config.postLoginRedirect || '/', {
+			error: 'auth_failed',
+			reason: 'csrf',
+		});
 		return {
 			status: 302,
 			headers: {
@@ -257,20 +272,30 @@ export async function handleCallback(
 			logger?.warn?.('No session available for OAuth user');
 		}
 
-		// Redirect to original URL or default
+		// Redirect to original URL or default (sanitize to prevent open redirect)
 		return {
 			status: 302,
 			headers: {
-				Location: tokenData.originalUrl || config.postLoginRedirect || '/',
+				Location: sanitizeRedirect(tokenData.originalUrl || config.postLoginRedirect || '/'),
 			},
 		};
 	} catch (error) {
 		logger?.error?.('OAuth callback error:', error);
+		// Use a safe, generic reason code — details are in the server log
+		const message = (error as Error).message || '';
+		let reason = 'unknown';
+		if (message.startsWith('Token exchange failed')) reason = 'token_exchange';
+		else if (message.includes('claim')) reason = 'user_mapping';
+		else if (message.includes('user info') || message.includes('userinfo')) reason = 'user_info';
+		else if (message.includes('hook') || message.includes('onLogin')) reason = 'login_hook';
+		const errorUrl = buildErrorRedirect(tokenData.originalUrl || config.postLoginRedirect || '/', {
+			error: 'auth_failed',
+			reason,
+		});
 		return {
-			status: 500,
-			body: {
-				error: 'Authentication failed',
-				message: (error as Error).message,
+			status: 302,
+			headers: {
+				Location: errorUrl,
 			},
 		};
 	}

test/lib/OAuthProvider.test.js

@@ -331,17 +331,137 @@ describe('OAuthProvider', () => {
 			}
 		});
 
-		it('should throw on token exchange failure', async () => {
+		it('should throw with sanitized message on token exchange failure', async () => {
 			const originalFetch = global.fetch;
 
 			global.fetch = async () => ({
 				ok: false,
-				text: async () => 'Invalid client credentials',
+				status: 401,
+				statusText: 'Unauthorized',
+				headers: { get: () => null },
+			});
+
+			try {
+				await assert.rejects(async () => await provider.exchangeCodeForToken('code', 'https://callback'), {
+					message: /Token exchange failed.*401 Unauthorized/i,
+				});
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+
+		it('should extract error_description from JSON error response', async () => {
+			const originalFetch = global.fetch;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 400,
+				statusText: 'Bad Request',
+				headers: { get: (h) => (h === 'content-type' ? 'application/json' : null) },
+				json: async () => ({
+					error: 'invalid_client',
+					error_description: 'The client credentials are invalid',
+				}),
+			});
+
+			try {
+				await assert.rejects(async () => await provider.exchangeCodeForToken('code', 'https://callback'), {
+					message: /Token exchange failed.*The client credentials are invalid/i,
+				});
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+
+		it('should not leak HTML error pages in token exchange errors', async () => {
+			const originalFetch = global.fetch;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 500,
+				statusText: 'Internal Server Error',
+				headers: { get: (h) => (h === 'content-type' ? 'text/html' : null) },
+			});
+
+			try {
+				await assert.rejects(async () => await provider.exchangeCodeForToken('code', 'https://callback'), {
+					message: /Token exchange failed.*500 Internal Server Error/i,
+				});
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+
+		it('should drain response body on non-JSON error to prevent socket leak', async () => {
+			const originalFetch = global.fetch;
+			let bodyCancelled = false;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 500,
+				statusText: 'Internal Server Error',
+				headers: { get: (h) => (h === 'content-type' ? 'text/html' : null) },
+				body: {
+					cancel: async () => {
+						bodyCancelled = true;
+					},
+				},
+			});
+
+			try {
+				await assert.rejects(async () => await provider.exchangeCodeForToken('code', 'https://callback'), {
+					message: /Token exchange failed/,
+				});
+				assert.ok(bodyCancelled, 'response.body.cancel() should have been called');
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+	});
+
+	describe('JSON Parse Safety', () => {
+		beforeEach(() => {
+			provider = new OAuthProvider(mockConfig, mockLogger);
+		});
+
+		it('should fall back to status when JSON parse fails in token exchange', async () => {
+			const originalFetch = global.fetch;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 502,
+				statusText: 'Bad Gateway',
+				headers: { get: (h) => (h === 'content-type' ? 'application/json' : null) },
+				json: async () => {
+					throw new SyntaxError('Unexpected end of JSON input');
+				},
 			});
 
 			try {
 				await assert.rejects(async () => await provider.exchangeCodeForToken('code', 'https://callback'), {
-					message: /Token exchange failed.*Invalid client credentials/i,
+					message: /Token exchange failed.*502 Bad Gateway/i,
+				});
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+
+		it('should fall back to status when JSON parse fails in token refresh', async () => {
+			const originalFetch = global.fetch;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 502,
+				statusText: 'Bad Gateway',
+				headers: { get: (h) => (h === 'content-type' ? 'application/json' : null) },
+				json: async () => {
+					throw new SyntaxError('Unexpected end of JSON input');
+				},
+			});
+
+			try {
+				await assert.rejects(async () => await provider.refreshAccessToken('bad-token'), {
+					message: /Token refresh failed.*502 Bad Gateway/i,
 				});
 			} finally {
 				global.fetch = originalFetch;
@@ -478,19 +598,68 @@ describe('OAuthProvider', () => {
 			}
 		});
 
-		it('should throw on HTTP error during token refresh', async () => {
+		it('should throw with sanitized message on HTTP error during token refresh', async () => {
 			const originalFetch = global.fetch;
 
 			global.fetch = async () => ({
 				ok: false,
 				status: 400,
 				statusText: 'Bad Request',
-				text: async () => 'invalid_grant: The refresh token is invalid',
+				headers: { get: () => null },
+			});
+
+			try {
+				await assert.rejects(async () => await provider.refreshAccessToken('bad-token'), {
+					message: /Token refresh failed.*400 Bad Request/i,
+				});
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+
+		it('should drain response body on error to prevent socket leak', async () => {
+			const originalFetch = global.fetch;
+			let bodyCancelled = false;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 502,
+				statusText: 'Bad Gateway',
+				headers: { get: () => null },
+				body: {
+					cancel: async () => {
+						bodyCancelled = true;
+					},
+				},
+			});
+
+			try {
+				await assert.rejects(async () => await provider.refreshAccessToken('bad-token'), {
+					message: /Token refresh failed/,
+				});
+				assert.ok(bodyCancelled, 'response.body.cancel() should have been called');
+			} finally {
+				global.fetch = originalFetch;
+			}
+		});
+
+		it('should extract error_description from JSON error during token refresh', async () => {
+			const originalFetch = global.fetch;
+
+			global.fetch = async () => ({
+				ok: false,
+				status: 400,
+				statusText: 'Bad Request',
+				headers: { get: (h) => (h === 'content-type' ? 'application/json' : null) },
+				json: async () => ({
+					error: 'invalid_grant',
+					error_description: 'The refresh token is invalid',
+				}),
 			});
 
 			try {
 				await assert.rejects(async () => await provider.refreshAccessToken('bad-token'), {
-					message: /Token refresh failed.*invalid_grant/i,
+					message: /Token refresh failed.*The refresh token is invalid/i,
 				});
 			} finally {
 				global.fetch = originalFetch;