feat: sanitize external identity provider user data (#681)

* feat: sanitize external user data * remove config option to disable Sanitization: sanitize_external_user_data * cleanup --------- Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>
2026-05-28 08:56:17 +00:00 · 2026-05-18 23:28:27 +03:00
parent ff935a404e
commit 958dcb8fa9
24 changed files with 1545 additions and 50 deletions
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -282,6 +282,32 @@ func (u *User) CreateDefaultPeers() bool {
 	return true
 }

+// SanitizeExternalData sanitizes user profile fields received from an external identity provider.
+// Returns ErrInvalidData if the identifier becomes empty after sanitization.
+func (u *User) SanitizeExternalData(providerType, providerName string) error {
+	identifier := string(u.Identifier)
+	LogSanitizeChange(providerType, providerName, "identifier", identifier,
+		func() string { return SanitizeIdentifier(identifier, 256) }, &identifier)
+	u.Identifier = UserIdentifier(identifier)
+
+	LogSanitizeChange(providerType, providerName, "email", u.Email,
+		func() string { return SanitizeEmail(u.Email, 254) }, &u.Email)
+	LogSanitizeChange(providerType, providerName, "firstname", u.Firstname,
+		func() string { return SanitizeString(u.Firstname, 128) }, &u.Firstname)
+	LogSanitizeChange(providerType, providerName, "lastname", u.Lastname,
+		func() string { return SanitizeString(u.Lastname, 128) }, &u.Lastname)
+	LogSanitizeChange(providerType, providerName, "phone", u.Phone,
+		func() string { return SanitizePhone(u.Phone, 50) }, &u.Phone)
+	LogSanitizeChange(providerType, providerName, "department", u.Department,
+		func() string { return SanitizeString(u.Department, 128) }, &u.Department)
+
+	if u.Identifier == "" {
+		return fmt.Errorf("empty user identifier: %w", ErrInvalidData)
+	}
+
+	return nil
+}
+
 // region webauthn

 func (u *User) WebAuthnID() []byte {