fix: Recognise authentication_required for some OIDC providers (#10252)

Some OIDC providers return 401 Unauthorized errors with an empty body when the access token has expired. Avoid trying to parse the body as JSON before we've checked whether the status code is OK. Fixes #10251.
2026-01-06 11:09:55 -06:00 · 2025-09-26 05:52:53 +01:00
parent 92db179230
commit 7b27b74e24
2 changed files with 37 additions and 1 deletions
--- a/server/utils/oauth.test.ts
+++ b/server/utils/oauth.test.ts
@@ -0,0 +1,31 @@
+import fetchMock from "jest-fetch-mock";
+import OAuthClient from "./oauth";
+
+class MinimalOAuthClient extends OAuthClient {
+  endpoints = {
+    authorize: 'http://example.com/authorize',
+    token: 'http://example.com/token',
+    userinfo: 'http://example.com/userinfo',
+  };
+}
+
+beforeEach(() => {
+  fetchMock.resetMocks();
+});
+
+describe("userInfo", () => {
+  it("should work with empty-body 401 Unauthorized responses", async () => {
+    fetchMock.mockResponseOnce('', {
+      status: 401,
+      statusText: 'unauthorized',
+    });
+
+    const client = new MinimalOAuthClient('clientid', 'clientsecret');
+    try {
+      expect.assertions(1);
+      await client.userInfo('token');
+    } catch (e) {
+      expect(e.id).toBe('authentication_required');
+    }
+  });
+});
--- a/server/utils/oauth.ts
+++ b/server/utils/oauth.ts
@@ -30,7 +30,6 @@ export default abstract class OAuthClient {
          "Content-Type": "application/json",
        },
      });
-      data = await response.json();
    } catch (err) {
      throw InvalidRequestError(err.message);
    }
@@ -40,6 +39,12 @@ export default abstract class OAuthClient {
      throw AuthenticationError();
    }

+    try {
+      data = await response.json();
+    } catch (err) {
+      throw InvalidRequestError(err.message);
+    }
+
    return data;
  };