From 2f5da9fc5e23cdce585d6a2d20d0ebb66bd62fe9 Mon Sep 17 00:00:00 2001 From: Andreas Wrede Date: Sat, 9 May 2026 08:46:19 -0400 Subject: [PATCH] fix: coerce malformed profile JSON to OAuthError; add redirect_uri assertion Co-Authored-By: Claude Sonnet 4.6 --- hbd/server/oauth.py | 7 +++++-- tests/test_oauth.py | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/hbd/server/oauth.py b/hbd/server/oauth.py index 026b921..5097bf9 100644 --- a/hbd/server/oauth.py +++ b/hbd/server/oauth.py @@ -241,8 +241,11 @@ async def fetch_user(provider: ResolvedProvider, token: str) -> dict: except aiohttp.ClientError as exc: raise OAuthError(f"User fetch network error: {exc}") from exc - for key in provider.profile_data_path: - data = data.get(key, {}) + try: + for key in provider.profile_data_path: + data = data.get(key, {}) + except AttributeError: + raise OAuthError(f"Unexpected profile response structure from {provider.type}") avatar_field = provider.field_map.get("avatar") return { diff --git a/tests/test_oauth.py b/tests/test_oauth.py index df479c7..bd0bc60 100644 --- a/tests/test_oauth.py +++ b/tests/test_oauth.py @@ -363,6 +363,7 @@ def test_build_auth_url_gitea(): assert qs["state"] == ["teststate"] assert qs["scope"] == ["user:email"] assert qs["response_type"] == ["code"] + assert qs["redirect_uri"] == ["https://hbd.example.com/login/oauth/gitea/callback"] def test_build_auth_url_github():