search

zitadel / oidc

Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation
https://zitadel.com
Apache License 2.0
1.37k stars 143 forks source link

[Bug]: nil pointer dereference when not setting unauthorized handler #545

Closed rgzr closed 7 months ago

rgzr commented 8 months ago

Preflight Checklist

Version

v3.11.1

Describe the problem caused by this bug

NewRelyingPartyOIDC does not set unauthorizedHandler field, so when an unauthorized error happens and unauthorizedError function is called, it produces a panic here https://github.com/zitadel/oidc/blob/main/pkg/client/rp/relying_party.go#L755

The check against HasUnauthorizedHandler interface passes because relyingParty struct has a method UnauthorizedHandler that returns its unauthorizedHandler field (which can be nil).

Maybe apart from checking against the interface, the function returned by the UnauthorizedHandler method should be checked against nil.

To reproduce

Instantiate a NewRelyingPartyOIDC without additional options and force an unauthorized error.

Screenshots

No response

Expected behavior

No response

Additional Context

No response

livio-a commented 8 months ago

Hey @rgzr. Thanks for raising this. We'll look into this and how we can handle the nil check the easiest way.

github-actions[bot] commented 7 months ago

:tada: This issue has been resolved in version 3.11.2 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: