fix: prevent panics from unchecked type assertions in OIDC provider

[tphakala]

Summary

• Use checked type assertions (comma-ok pattern) for id_token extra field to prevent panic on non-string values
• Validate exp claim presence and type before casting to prevent panic on malformed JWTs
• Handle http.NewRequest error in fetchUserInfo instead of discarding it

Security impact: Malformed provider responses could crash the server via nil pointer panics. These are now handled gracefully with error returns.

Test plan

• go test ./providers/openidConnect/... -v passes
• New Test_ValidateClaims_MissingExp verifies missing exp returns error
• New Test_ValidateClaims_InvalidExpType verifies non-numeric exp returns error

[coderabbitai]

Warning

Rate limit exceeded

@tphakala has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 6 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4f42aaff-f41f-4100-9f4b-1b5ae5664842

📥 Commits

Reviewing files that changed from the base of the PR and between b738bce and c7c2e42.

📒 Files selected for processing (3)

• providers/openidConnect/openidConnect.go
• providers/openidConnect/openidConnect_test.go
• providers/openidConnect/session.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/oidc-unchecked-type-assertions

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness and security of the OpenID Connect provider. By introducing comprehensive validation for JWT claims, particularly the exp field, and implementing safer type assertions for id_token values, the system is now protected against panics that could arise from malformed or unexpected data from OIDC providers. Additionally, error handling for HTTP request creation has been improved, contributing to overall stability.

Highlights

• OIDC id_token handling: Implemented checked type assertions for the id_token extra field to prevent panics when non-string values are encountered.
• JWT exp claim validation: Enhanced validation for the exp (expiry) claim in JWTs, ensuring its presence and correct numeric type to prevent server crashes from malformed tokens.
• HTTP request error handling: Added explicit error handling for http.NewRequest calls within the fetchUserInfo function, improving robustness.
• Security and Stability: Addressed potential security vulnerabilities by preventing server panics caused by malformed OIDC provider responses, leading to more graceful error handling.

Changelog

• providers/openidConnect/openidConnect.go
  • Validated the exp claim in JWTs for presence and correct float64 type, replacing an unchecked type assertion.
  • Added error handling for http.NewRequest in fetchUserInfo to catch potential request creation failures.
• providers/openidConnect/openidConnect_test.go
  • Added Test_ValidateClaims_MissingExp to ensure an error is returned when the exp claim is absent.
  • Added Test_ValidateClaims_InvalidExpType to verify an error is returned when the exp claim is not a number.
• providers/openidConnect/session.go
  • Updated id_token extraction to use a checked type assertion, preventing panics if the value is not a string.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses several potential panic scenarios in the OpenID Connect provider, enhancing its robustness and security. The changes introduce checked type assertions for the id_token and exp claims, and properly handle a previously ignored error from http.NewRequest. These modifications prevent the server from crashing due to malformed provider responses. The accompanying new tests are a great addition for verifying the fixes, and the suggestions provided align with our testing best practices using the testify package.

[gemini-code-assist]

For improved test precision, it's better to assert against the exact error message. Using a.EqualError will ensure that validateClaims is returning the specific error expected for a missing exp claim, making the test more robust.

Suggested change

	a.Error(err)
	a.Contains(err.Error(), "exp")
	a.EqualError(err, "missing required exp claim in token")

References

1. Use the testify package for assertions in tests to maintain consistency with the existing codebase.

[tphakala]

Fixed in latest push — switched to a.EqualError for exact error message matching.

[gemini-code-assist]

Similar to the previous test, this assertion can be made more specific. Checking for the exact error message with a.EqualError will make the test more reliable by ensuring it fails for the correct reason, rather than just any error containing "exp".

Suggested change

	a.Error(err)
	a.Contains(err.Error(), "exp")
	a.EqualError(err, "invalid exp claim type in token")

References

1. Use the testify package for assertions in tests to maintain consistency with the existing codebase.

[tphakala]

Fixed in latest push — switched to a.EqualError for exact error message matching.

[tphakala]

/gemini review

[gemini-code-assist]

Code Review

This pull request effectively addresses potential panics from unchecked type assertions in the OpenID Connect provider, making the code more robust. The changes include adding checks for the exp claim in JWTs, safely handling the id_token field, and properly managing errors from http.NewRequest. The addition of corresponding unit tests is also a great improvement. I have one suggestion to further improve error handling for malformed id_token values to be more explicit, similar to how other claims are handled in this PR.

[gemini-code-assist]

While this change correctly prevents a panic, it silently ignores an id_token that is not a string. This could lead to subtle bugs where s.IDToken is unexpectedly empty, causing failures later in FetchUser. It would be more robust to return an error immediately if the id_token has an unexpected type, which is consistent with how other claims are handled elsewhere in this pull request.

		str, ok := idToken.(string)
		if !ok {
			return "", errors.New("id_token is not a string")
		}
		s.IDToken = str

[tphakala]

Valid point. For now the silent ignore matches the existing behavior (if id_token is nil, IDToken stays empty). Returning an error here would be a behavior change that could break callers who don't expect Authorize to fail on a valid token exchange just because the id_token extra field has an unexpected type. I'll track this as a follow-up improvement.