fix: reject oauth callbacks without provider emails

Author: tristanbob

app/Http/Controllers/OauthController.php

@@ -19,7 +19,11 @@ public function callback(string $provider)
     {
         try {
             $oauthUser = get_socialite_provider($provider)->user();
-            $email = strtolower(trim((string) $oauthUser->email));
+            $email = trim((string) $oauthUser->email);
+            if ($email === '') {
+                abort(403, 'OAuth provider did not return an email address');
+            }
+            $email = strtolower($email);
             $user = User::whereEmail($email)->first();
             if (! $user) {
                 $settings = instanceSettings();

tests/Feature/OauthControllerTest.php

@@ -47,3 +47,33 @@
     $this->assertAuthenticatedAs($user);
     expect(User::count())->toBe(1);
 });
+
+it('rejects oauth logins when the provider does not return an email address', function (?string $providerEmail) {
+    config()->set('app.maintenance.driver', 'file');
+    InstanceSettings::firstOrCreate([
+        'id' => 0,
+    ], [
+        'is_registration_enabled' => false,
+    ])->update([
+        'is_registration_enabled' => true,
+    ]);
+
+    $provider = \Mockery::mock();
+    $provider->shouldReceive('setConfig')->once()->andReturnSelf();
+    $provider->shouldReceive('with')->once()->with(['hd' => 'example.com'])->andReturnSelf();
+    $provider->shouldReceive('user')->once()->andReturn((object) [
+        'email' => $providerEmail,
+        'name' => 'Tristan Rhodes',
+        'id' => 'google-user-id',
+    ]);
+
+    Socialite::shouldReceive('driver')->once()->with('google')->andReturn($provider);
+
+    $response = $this->from('/login')->get(route('auth.callback', 'google'));
+
+    $response->assertRedirect('/login');
+    expect(User::count())->toBe(0);
+})->with([
+    'null email' => [null],
+    'blank email' => ['   '],
+]);