From 758bcd1e97eb4e8b1384fa4aa6945fde9d7f9cc8 Mon Sep 17 00:00:00 2001
From: Jason Rasmussen <jason@rasm.me>
Date: Sat, 8 Feb 2025 17:01:28 -0500
Subject: [PATCH] fix(server): validate oauth profile has a sub (#15967)

---
 server/src/repositories/oauth.repository.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/src/repositories/oauth.repository.ts b/server/src/repositories/oauth.repository.ts
index 85263cd6472..29e6ffbb52f 100644
--- a/server/src/repositories/oauth.repository.ts
+++ b/server/src/repositories/oauth.repository.ts
@@ -43,7 +43,12 @@ export class OAuthRepository {
     const params = client.callbackParams(url);
     try {
       const tokens = await client.callback(redirectUrl, params, { state: params.state });
-      return await client.userinfo<OAuthProfile>(tokens.access_token || '');
+      const profile = await client.userinfo<OAuthProfile>(tokens.access_token || '');
+      if (!profile.sub) {
+        throw new Error('Unexpected profile response, no `sub`');
+      }
+
+      return profile;
     } catch (error: Error | any) {
       if (error.message.includes('unexpected JWT alg received')) {
         this.logger.warn(