fix: validate GitHub API responses in SSO authentication

Check response.ok before calling .json() on all three GitHub API fetch
calls in GithubSSO, preventing crashes when GitHub returns error statuses.

Author: lawrence3699

packages/server/src/enterprise/sso/GithubSSO.test.ts

@@ -0,0 +1,85 @@
+import { describe, expect, it } from '@jest/globals'
+
+/**
+ * These tests verify the error-handling logic that GithubSSO uses when
+ * calling GitHub's API. The SSO class itself depends on the running Express
+ * app through deep transitive imports (SSOBase → getRunningExpressApp → …),
+ * making direct class-level unit tests impractical without a full app context.
+ *
+ * Instead we replicate the exact fetch-and-parse sequences from GithubSSO and
+ * show that they crash without the response.ok guard and succeed with it.
+ */
+describe('GithubSSO fetch error handling', () => {
+    describe('email fetch (passport callback)', () => {
+        it('crashes with TypeError when GitHub returns a 401 error object instead of an array', () => {
+            // GitHub API returns this JSON body for 401 Unauthorized:
+            const githubErrorBody = {
+                message: 'Bad credentials',
+                documentation_url: 'https://docs.github.com/rest'
+            }
+
+            // Without response.ok check, code calls .find() on the error object
+            expect(() => {
+                const emails = githubErrorBody
+                ;(emails as any).find((email: any) => email.primary && email.verified)
+            }).toThrow('emails.find is not a function')
+        })
+
+        it('does not crash when response.ok is checked first', () => {
+            const mockResponse = {
+                ok: false,
+                status: 401,
+                statusText: 'Unauthorized'
+            }
+
+            // With the fix, we check response.ok before parsing
+            if (!mockResponse.ok) {
+                const error = {
+                    name: 'SSO_LOGIN_FAILED',
+                    message: `Failed to fetch emails from GitHub: ${mockResponse.status} ${mockResponse.statusText}`
+                }
+                expect(error.message).toBe('Failed to fetch emails from GitHub: 401 Unauthorized')
+                return
+            }
+        })
+    })
+
+    describe('testSetup', () => {
+        it('crashes with SyntaxError when GitHub returns HTML error page', async () => {
+            // If GitHub is down and returns HTML, JSON.parse fails
+            const htmlBody = '<html><body>503 Service Unavailable</body></html>'
+
+            expect(() => {
+                JSON.parse(htmlBody)
+            }).toThrow(SyntaxError)
+        })
+
+        it('returns clear error with response.ok check', () => {
+            const mockResponse = {
+                ok: false,
+                status: 503,
+                statusText: 'Service Unavailable'
+            }
+
+            if (!mockResponse.ok) {
+                const result = { error: `GitHub API error: ${mockResponse.status} ${mockResponse.statusText}` }
+                expect(result).toEqual({ error: 'GitHub API error: 503 Service Unavailable' })
+            }
+        })
+    })
+
+    describe('refreshToken', () => {
+        it('returns clear error instead of crashing on non-200 response', () => {
+            const mockResponse = {
+                ok: false,
+                status: 401,
+                statusText: 'Unauthorized'
+            }
+
+            if (!mockResponse.ok) {
+                const result = { error: `GitHub token refresh failed: ${mockResponse.status} ${mockResponse.statusText}` }
+                expect(result).toEqual({ error: 'GitHub token refresh failed: 401 Unauthorized' })
+            }
+        })
+    })
+})

packages/server/src/enterprise/sso/GithubSSO.ts

@@ -34,20 +34,42 @@ class GithubSSO extends SSOBase {
                         scope: ['user:email']
                     },
                     async (accessToken: string, refreshToken: string, profile: Profile, done: any) => {
-                        // Fetch emails from GitHub API using the access token.
-                        const emailResponse = await fetch('https://api.github.com/user/emails', {
-                            headers: {
-                                Authorization: `token ${accessToken}`,
-                                'User-Agent': 'Node.js'
+                        try {
+                            // Fetch emails from GitHub API using the access token.
+                            const emailResponse = await fetch('https://api.github.com/user/emails', {
+                                headers: {
+                                    Authorization: `token ${accessToken}`,
+                                    'User-Agent': 'Node.js'
+                                }
+                            })
+                            if (!emailResponse.ok) {
+                                return done(
+                                    {
+                                        name: 'SSO_LOGIN_FAILED',
+                                        message: `Failed to fetch emails from GitHub: ${emailResponse.status} ${emailResponse.statusText}`
+                                    },
+                                    undefined
+                                )
                             }
-                        })
-                        const emails = await emailResponse.json()
-                        // Look for a verified primary email.
-                        let primaryEmail = emails.find((email: any) => email.primary && email.verified)?.email
-                        if (!primaryEmail && Array.isArray(emails) && emails.length > 0) {
-                            primaryEmail = emails[0].email
+                            const emails = await emailResponse.json()
+                            if (!Array.isArray(emails)) {
+                                return done(
+                                    { name: 'SSO_LOGIN_FAILED', message: 'Unexpected response from GitHub emails API' },
+                                    undefined
+                                )
+                            }
+                            // Look for a verified primary email.
+                            let primaryEmail = emails.find((email: any) => email.primary && email.verified)?.email
+                            if (!primaryEmail && emails.length > 0) {
+                                primaryEmail = emails[0].email
+                            }
+                            return this.verifyAndLogin(this.app, primaryEmail, done, profile, accessToken, refreshToken)
+                        } catch (error) {
+                            return done(
+                                { name: 'SSO_LOGIN_FAILED', message: 'Failed to complete GitHub authentication' },
+                                undefined
+                            )
                         }
-                        return this.verifyAndLogin(this.app, primaryEmail, done, profile, accessToken, refreshToken)
                     }
                 )
             )
@@ -115,6 +137,9 @@ class GithubSSO extends SSOBase {
                     code: 'dummy_code_for_testing'
                 })
             })
+            if (!response.ok) {
+                return { error: `GitHub API error: ${response.status} ${response.statusText}` }
+            }
             const data = await response.json()
             if (data.error === 'bad_verification_code') {
                 return { message: 'ClientID and clientSecret are valid.' }
@@ -143,6 +168,9 @@ class GithubSSO extends SSOBase {
                     refresh_token: currentRefreshToken
                 })
             })
+            if (!response.ok) {
+                return { error: `GitHub token refresh failed: ${response.status} ${response.statusText}` }
+            }
             const data = await response.json()
             if (data.error || !data.access_token) {
                 return { error: 'Failed to get refreshToken from Github.' }