Skip to content

Google OAuth: missing email array validation #3907

@Nixxx19

Description

@Nixxx19

p5.js version

No response

What is your operating system?

None

Web browser and version

No response

Actual Behavior

Google strategy accesses profile._json.emails[0] without checking that emails exists and has length. If Google does not return emails, this throws TypeError: Cannot read property '0' of undefined and crashes the OAuth flow.

Location: server/config/passport.js Google Strategy, lines 244, 261, 265

Expected Behavior

Before using profile._json.emails[0], code should verify profile._json?.emails exists and has at least one element. If not, call done(null, false, { msg: '...' }) instead of throwing.

Steps to reproduce

  1. Use (or mock) a Google OAuth profile that has no emails or empty emails array.
  2. Complete Google sign-in so the strategy callback runs.
  3. Observe unhandled TypeError and OAuth failure instead of a user-friendly message.

Snippet:

// passport.js - Google strategy
const existingUser = await User.findOne({
  google: profile._json.emails[0].value  // crashes if emails undefined
}).exec();
// ...
const primaryEmail = profile._json.emails[0].value;
// ...
req.user.google = profile._json.emails[0].value;

Metadata

Metadata

Assignees

Labels

BugError or unexpected behaviors

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions