handle errors when parsing JWT header at the end of the code flow

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>

Author: julien-nc

lib/Controller/LoginController.php

@@ -503,15 +503,23 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		$this->logger->debug('Received code response: ' . json_encode($data, JSON_THROW_ON_ERROR));
 		$this->eventDispatcher->dispatchTyped(new TokenObtainedEvent($data, $provider, $discovery));
 
-		// TODO: proper error handling
 		$idTokenRaw = $data['id_token'];
 		if ($usePrivateKeyJwt) {
-			// we could check the header there
 			// if kid is our private JWK, we have a JWE to decrypt
 			// if typ=JWT, we have a classic JWT to decode
 			$jwtParts = explode('.', $idTokenRaw, 3);
-			$jwtHeader = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true);
-			$this->logger->warning('JWT HEADER', ['jwt_header' => $jwtHeader]);
+			try {
+				$jwtHeader = json_decode(JWT::urlsafeB64Decode($jwtParts[0]), true, flags: JSON_THROW_ON_ERROR);
+			} catch (\JsonException $e) {
+				$this->logger->error('Malformed JWT id token header', ['exception' => $e]);
+				$message = $this->l10n->t('Failed to decode JWT id token header');
+				return $this->buildErrorTemplateResponse($message, Http::STATUS_BAD_REQUEST, throttle: false);
+			} catch (\Exception|\Throwable $e) {
+				$this->logger->error('Impossible to decode JWT id token header', ['exception' => $e]);
+				$message = $this->l10n->t('Failed to decode JWT id token header');
+				return $this->buildErrorTemplateResponse($message, Http::STATUS_BAD_REQUEST, throttle: false);
+			}
+			$this->logger->debug('JWT HEADER', ['jwt_header' => $jwtHeader]);
 			if (isset($jwtHeader['typ']) && $jwtHeader['typ'] === 'JWT') {
 				// we have a JWT, do nothing
 			} elseif (isset($jwtHeader['cty']) && $jwtHeader['cty'] === 'JWT') {