Invalid body causes panics in the server

Question

Invalid body causes panics in the server

Nikola-Milovic opened this issue 2 years ago · 1 comments

Hello, as I was playing around with the self hosted supertokens server I noticed that if I send an incorrect type of body to the auth/signin (probably others as well), the server panics and crashes.

Setup same as the docs

The request is as follows, notice the lack of formFields and id value

curl --location --request POST 'http://localhost:8301/auth/signin' --header 'rid: thirdpartyemailpassword' --header 'Content-Type: application/json' --data-raw '{
        "email": "john@example.com",
        "password": "somePassword123"
}'

The crash is as follows


backend-app-1   | 2023/04/01 16:12:41 http: panic serving 192.168.176.1:40364: interface conversion: interface {} is nil, not []interface {}
backend-app-1   | goroutine 126 [running]:
backend-app-1   | net/http.(*conn).serve.func1()
backend-app-1   |       /usr/local/go/src/net/http/server.go:1854 +0xbf
backend-app-1   | panic({0xa2b9a0, 0xc00075d080})
backend-app-1   |       /usr/local/go/src/runtime/panic.go:890 +0x263
backend-app-1   | github.com/supertokens/supertokens-golang/recipe/emailpassword/api.SignInAPI({_, _, _, _, _}, {{0xc00051c238, 0xc00051c240, 0xc00051c248, 0xc00051c250, 0xc00051c258, ...}, ...})
backend-app-1   |       /go/pkg/mod/github.com/supertokens/supertokens-golang@v0.10.5/recipe/emailpassword/api/signin.go:41 +0x650
backend-app-1   | github.com/supertokens/supertokens-golang/recipe/emailpassword.(*Recipe).handleAPIRequest(0x6e696e67?, {0xace71f?, 0x413303?}, 0xc0007131b0?, {0x7f0c3101ea60?, 0xc0000104c8?}, 0xc00046d032?, {{0xc00071e870?, 0xc000532cc0?}}, {0xc00046d000, ...})
backend-app-1   |       /go/pkg/mod/github.com/supertokens/supertokens-golang@v0.10.5/recipe/emailpassword/recipe.go:165 +0x37e
backend-app-1   | github.com/supertokens/supertokens-golang/recipe/thirdpartyemailpassword.(*Recipe).handleAPIRequest(0xc000007ba0, {0xace71f, 0x7}, 0x0?, {0x7f0c3101ea60, 0xc0000104c8}, 0xa3eec0?, {{0xc00046d032?, 0x0?}}, {0xc00046d000, ...})
backend-app-1   |       /go/pkg/mod/github.com/supertokens/supertokens-golang@v0.10.5/recipe/thirdpartyemailpassword/recipe.go:179 +0x206
backend-app-1   | github.com/supertokens/supertokens-golang/supertokens.(*superTokens).middleware.func2({0x7f0c3101e978?, 0xc000532c40?}, 0xc00017f800)
backend-app-1   |       /go/pkg/mod/github.com/supertokens/supertokens-golang@v0.10.5/supertokens/supertokens.go:183 +0xaab
backend-app-1   | net/http.HandlerFunc.ServeHTTP(0xc000273b80?, {0x7f0c3101e978?, 0xc000532c40?}, 0xc00017f800?)
backend-app-1   |       /usr/local/go/src/net/http/server.go:2122 +0x2f
backend-app-1   | github.com/go-chi/cors.(*Cors).Handler.func1({0x7f0c3101e978, 0xc000532c40}, 0xc00017f800)
backend-app-1   |       /go/pkg/mod/github.com/go-chi/cors@v1.2.1/cors.go:228 +0x1bd
backend-app-1   | net/http.HandlerFunc.ServeHTTP(0xc00017f700?, {0x7f0c3101e978?, 0xc000532c40?}, 0x30?)
backend-app-1   |       /usr/local/go/src/net/http/server.go:2122 +0x2f
backend-app-1   | github.com/go-chi/chi/v5/middleware.RequestLogger.func1.1({0xd084e0, 0xc0001b0380}, 0xc00017f700)
backend-app-1   |       /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.8/middleware/logger.go:54 +0x17d
backend-app-1   | net/http.HandlerFunc.ServeHTTP(0xd089c0?, {0xd084e0?, 0xc0001b0380?}, 0x10c0170?)
backend-app-1   |       /usr/local/go/src/net/http/server.go:2122 +0x2f
backend-app-1   | github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc0000afda0, {0xd084e0, 0xc0001b0380}, 0xc00017f600)
backend-app-1   |       /go/pkg/mod/github.com/go-chi/chi/v5@v5.0.8/mux.go:90 +0x310
backend-app-1   | net/http.serverHandler.ServeHTTP({0xd06ec8?}, {0xd084e0, 0xc0001b0380}, 0xc00017f600)
backend-app-1   |       /usr/local/go/src/net/http/server.go:2936 +0x316
backend-app-1   | net/http.(*conn).serve(0xc00071f9e0, {0xd08a68, 0xc00041f1d0})
backend-app-1   |       /usr/local/go/src/net/http/server.go:1995 +0x612
backend-app-1   | created by net/http.(*Server).Serve
backend-app-1   |       /usr/local/go/src/net/http/server.go:3089 +0x5ed

The issue seems to originate from here

formFields, err := validateFormFieldsOrThrowError(options.Config.SignInFeature.FormFields, formFieldsRaw["formFields"].([]interface{}))

Probably some input validation is necessary to make sure the data is in correct format before proceeding

Answer 1 · 2023-04-05T09:11:54.000Z

This has been fixed in golang sdk version >= 0.10.6