UserConverter NPE when User.authorizations() returns null

jpenglert commented 1 year ago

Version

4.3.7

Context

UserImpl has a default constructor which does not initialize its authorizations field. The UserConverter class expects User.authorizations() to return a non-null value. If an instance of UserImpl is constructed using the default constructor and then later on serialized (since it implements ClusterSerializable) it will result in a NPE when it delegates serialization to UserConverter because UserConverter does not perform a null check.

I encountered this with the Pac4jUser class from org.pac4j:vertx-pac4j which extends UserImpl and implements the default constructor which leaves the authorizations field null. The VertxProfileManager from org.pac4j:vertx-pac4j uses the Pac4jUser default constructor.

Seems like UserConverter should check if User.authorization() returns null before attempting to serialize it.

Do you have a reproducer?

UserConverter.encode(new UserImpl());

Steps to reproduce

Run UserConverter.encode(new UserImpl()); in a unit test

Extra

jpenglert commented 1 year ago

I'll make a PR for this.

jpenglert commented 1 year ago

See PR https://github.com/eclipse-vertx/vertx-auth/pull/639

jpenglert commented 1 year ago

@pmlopes is it possible to get this in a 4.x release? This is blocking an upgrade of one of our microservices from 3.x -> 4.x

tsegismont commented 1 year ago

Fixed in #653

eclipse-vertx / vertx-auth