fix(server): validate oauth profile has a sub (#15967)

immich-app · Feb 8, 2025 · 758bcd1 · 758bcd1
1 parent fb21950
commit 758bcd1
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/server/src/repositories/oauth.repository.ts b/server/src/repositories/oauth.repository.ts
@@ -43,7 +43,12 @@ export class OAuthRepository {
     const params = client.callbackParams(url);
     try {
       const tokens = await client.callback(redirectUrl, params, { state: params.state });
-      return await client.userinfo<OAuthProfile>(tokens.access_token || '');
+      const profile = await client.userinfo<OAuthProfile>(tokens.access_token || '');
+      if (!profile.sub) {
+        throw new Error('Unexpected profile response, no `sub`');
+      }
+
+      return profile;
     } catch (error: Error | any) {
       if (error.message.includes('unexpected JWT alg received')) {
         this.logger.warn(