crash in store due to a bug in mysql adapter on missing auth record

or-else · or-else · commit f7a42cd16d98 · 2021-08-19T20:45:49.000-07:00
diff --git a/server/db/mongodb/adapter.go b/server/db/mongodb/adapter.go
@@ -1121,7 +1121,7 @@ func (a *adapter) AuthGetRecord(uid t.Uid, scheme string) (string, auth.Level, [
 	err := a.db.Collection("auth").FindOne(a.ctx, filter, findOpts).Decode(&record)
 	if err != nil {
 		if err == mdb.ErrNoDocuments {
-			return "", 0, nil, time.Time{}, t.ErrNotFound
+			err = t.ErrNotFound
 		}
 		return "", 0, nil, time.Time{}, err
 	}
diff --git a/server/db/mysql/adapter.go b/server/db/mysql/adapter.go
@@ -867,8 +867,8 @@ func (a *adapter) AuthGetRecord(uid t.Uid, scheme string) (string, auth.Level, [
 	if err := a.db.GetContext(ctx, &record, "SELECT uname,secret,expires,authlvl FROM auth WHERE userid=? AND scheme=?",
 		store.DecodeUid(uid), scheme); err != nil {
 		if err == sql.ErrNoRows {
-			// Nothing found - clear the error
-			err = nil
+			// Nothing found - use standard error.
+			err = t.ErrNotFound
 		}
 		return "", 0, nil, expires, err
 	}
diff --git a/server/session.go b/server/session.go
@@ -955,7 +955,8 @@ func (s *Session) login(msg *ClientComMessage) {
 }
 
 // authSecretReset resets an authentication secret;
-//  params: "auth-method-to-reset:credential-method:credential-value".
+// params: "auth-method-to-reset:credential-method:credential-value",
+// for example: "basic:email:alice@example.com".
 func (s *Session) authSecretReset(params []byte) error {
 	var authScheme, credMethod, credValue string
 	if parts := strings.Split(string(params), ":"); len(parts) == 3 {
diff --git a/server/store/store.go b/server/store/store.go
@@ -322,8 +322,13 @@ func (UsersObjMapper) GetAuthRecord(user types.Uid, scheme string) (string, auth
 	unique, authLvl, secret, expires, err := adp.AuthGetRecord(user, scheme)
 	if err == nil {
 		parts := strings.Split(unique, ":")
-		unique = parts[1]
+		if len(parts) > 1 {
+			unique = parts[1]
+		} else {
+			err = types.ErrInternal
+		}
 	}
+
 	return unique, authLvl, secret, expires, err
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1121,7 +1121,7 @@ func (a *adapter) AuthGetRecord(uid t.Uid, scheme string) (string, auth.Level, [`
`1121`	`1121`	`err := a.db.Collection("auth").FindOne(a.ctx, filter, findOpts).Decode(&record)`
`1122`	`1122`	`if err != nil {`
`1123`	`1123`	`if err == mdb.ErrNoDocuments {`
`1124`		`- return "", 0, nil, time.Time{}, t.ErrNotFound`
	`1124`	`+ err = t.ErrNotFound`
`1125`	`1125`	`}`
`1126`	`1126`	`return "", 0, nil, time.Time{}, err`
`1127`	`1127`	`}`
Original file line number	Diff line number	Diff line change
`@@ -867,8 +867,8 @@ func (a *adapter) AuthGetRecord(uid t.Uid, scheme string) (string, auth.Level, [`
`867`	`867`	`if err := a.db.GetContext(ctx, &record, "SELECT uname,secret,expires,authlvl FROM auth WHERE userid=? AND scheme=?",`
`868`	`868`	`store.DecodeUid(uid), scheme); err != nil {`
`869`	`869`	`if err == sql.ErrNoRows {`
`870`		`- // Nothing found - clear the error`
`871`		`- err = nil`
	`870`	`+ // Nothing found - use standard error.`
	`871`	`+ err = t.ErrNotFound`
`872`	`872`	`}`
`873`	`873`	`return "", 0, nil, expires, err`
`874`	`874`	`}`
Original file line number	Diff line number	Diff line change
`@@ -955,7 +955,8 @@ func (s Session) login(msg ClientComMessage) {`
`955`	`955`	`}`
`956`	`956`
`957`	`957`	`// authSecretReset resets an authentication secret;`
`958`		`-// params: "auth-method-to-reset:credential-method:credential-value".`
	`958`	`+// params: "auth-method-to-reset:credential-method:credential-value",`
	`959`	`+// for example: "basic:email:alice@example.com".`
`959`	`960`	`func (s *Session) authSecretReset(params []byte) error {`
`960`	`961`	`var authScheme, credMethod, credValue string`
`961`	`962`	`if parts := strings.Split(string(params), ":"); len(parts) == 3 {`
Original file line number	Diff line number	Diff line change
`@@ -322,8 +322,13 @@ func (UsersObjMapper) GetAuthRecord(user types.Uid, scheme string) (string, auth`
`322`	`322`	`unique, authLvl, secret, expires, err := adp.AuthGetRecord(user, scheme)`
`323`	`323`	`if err == nil {`
`324`	`324`	`parts := strings.Split(unique, ":")`
`325`		`- unique = parts[1]`
	`325`	`+ if len(parts) > 1 {`
	`326`	`+ unique = parts[1]`
	`327`	`+ } else {`
	`328`	`+ err = types.ErrInternal`
	`329`	`+ }`
`326`	`330`	`}`
	`331`	`+`
`327`	`332`	`return unique, authLvl, secret, expires, err`
`328`	`333`	`}`
`329`	`334`