fix: add check for nil secret on oauthv2 (#5807)

ItsSudip · web-flow · commit 9f82e4d31f0f · 2025-05-02T15:51:28.000Z
# Description We are adding validation for a nil secret being stored in the cache, for OAuthV2. ## Linear Ticket https://linear.app/rudderstack/issue/INT-3599/fix-add-validation-for-nil-secret-being-stored-in-cache-for-oauthv2 ## Security - [ ] The code changed/added as part of this pull request won't create any security issues with how the software is being used.
diff --git a/services/oauth/v2/oauth.go b/services/oauth/v2/oauth.go
@@ -356,6 +356,10 @@ func (h *OAuthHandler) GetRefreshTokenErrResp(response string, accountSecret *Ac
 	return errorType, message
 }
 
+func isEmptySecret(accountSecret AccountSecret) bool {
+	return accountSecret.Secret == nil || string(accountSecret.Secret) == `{}` || string(accountSecret.Secret) == "\"\"" || string(accountSecret.Secret) == "null"
+}
+
 // This method hits the Control Plane to get the account information
 // As well update the account information into the destAuthInfoMap(which acts as an in-memory cache)
 func (h *OAuthHandler) fetchAccountInfoFromCp(refTokenParams *RefreshTokenParams, refTokenBody RefreshTokenBodyParams,
@@ -429,6 +433,15 @@ func (h *OAuthHandler) fetchAccountInfoFromCp(refTokenParams *RefreshTokenParams
 		}
 		return http.StatusInternalServerError, authResponse, fmt.Errorf("error occurred while fetching/refreshing account info from CP: %s", refErrMsg)
 	}
+
+	if isEmptySecret(accountSecret) {
+		errMsg := errors.New("empty secret received from CP")
+		statsHandler.Increment("request", stats.Tags{
+			"errorMessage":  errMsg.Error(),
+			"isCallToCpApi": "true",
+		})
+		return http.StatusInternalServerError, nil, errMsg
+	}
 	statsHandler.Increment("request", stats.Tags{
 		"errorMessage":  "",
 		"isCallToCpApi": "true",
diff --git a/services/oauth/v2/oauth_test.go b/services/oauth/v2/oauth_test.go
@@ -359,6 +359,87 @@ var _ = Describe("Oauth", func() {
 			Expect(response).To(Equal(expectedResponse))
 			Expect(err).To(MatchError(fmt.Errorf("error occurred while fetching/refreshing account info from CP: mock mock 127.0.0.1:1234->127.0.0.1:12340: read: connection timed out")))
 		})
+
+		It("fetch token function call when cache is empty and cpApiCall returns empty secret", func() {
+			fetchTokenParams := &v2.RefreshTokenParams{
+				AccountID:   "123",
+				WorkspaceID: "456",
+				DestDefName: "testDest",
+				Destination: Destination,
+			}
+
+			ctrl := gomock.NewController(GinkgoT())
+			mockCpConnector := mock_oauthV2.NewMockConnector(ctrl)
+			mockCpConnector.EXPECT().CpApiCall(gomock.Any()).Return(http.StatusOK, `{"secret":{}}`)
+			mockTokenProvider := mock_oauthV2.NewMockTokenProvider(ctrl)
+			mockTokenProvider.EXPECT().Identity().Return(nil)
+			oauthHandler := v2.NewOAuthHandler(mockTokenProvider,
+				v2.WithCache(v2.NewCache()),
+				v2.WithLocker(kitsync.NewPartitionRWLocker()),
+				v2.WithStats(stats.Default),
+				v2.WithLogger(logger.NewLogger().Child("MockOAuthHandler")),
+				v2.WithCpConnector(mockCpConnector),
+			)
+			statusCode, response, err := oauthHandler.FetchToken(fetchTokenParams)
+			Expect(statusCode).To(Equal(http.StatusInternalServerError))
+			var expectedResponse *v2.AuthResponse
+			Expect(response).To(Equal(expectedResponse))
+			Expect(err).To(MatchError(fmt.Errorf("empty secret received from CP")))
+		})
+
+		It("fetch token function call when cache is empty and cpApiCall returns empty string", func() {
+			fetchTokenParams := &v2.RefreshTokenParams{
+				AccountID:   "123",
+				WorkspaceID: "456",
+				DestDefName: "testDest",
+				Destination: Destination,
+			}
+
+			ctrl := gomock.NewController(GinkgoT())
+			mockCpConnector := mock_oauthV2.NewMockConnector(ctrl)
+			mockCpConnector.EXPECT().CpApiCall(gomock.Any()).Return(http.StatusOK, `{"secret":""}`)
+			mockTokenProvider := mock_oauthV2.NewMockTokenProvider(ctrl)
+			mockTokenProvider.EXPECT().Identity().Return(nil)
+			oauthHandler := v2.NewOAuthHandler(mockTokenProvider,
+				v2.WithCache(v2.NewCache()),
+				v2.WithLocker(kitsync.NewPartitionRWLocker()),
+				v2.WithStats(stats.Default),
+				v2.WithLogger(logger.NewLogger().Child("MockOAuthHandler")),
+				v2.WithCpConnector(mockCpConnector),
+			)
+			statusCode, response, err := oauthHandler.FetchToken(fetchTokenParams)
+			Expect(statusCode).To(Equal(http.StatusInternalServerError))
+			var expectedResponse *v2.AuthResponse
+			Expect(response).To(Equal(expectedResponse))
+			Expect(err).To(MatchError(fmt.Errorf("empty secret received from CP")))
+		})
+
+		It("fetch token function call when cache is empty and cpApiCall returns nil secret", func() {
+			fetchTokenParams := &v2.RefreshTokenParams{
+				AccountID:   "123",
+				WorkspaceID: "456",
+				DestDefName: "testDest",
+				Destination: Destination,
+			}
+
+			ctrl := gomock.NewController(GinkgoT())
+			mockCpConnector := mock_oauthV2.NewMockConnector(ctrl)
+			mockCpConnector.EXPECT().CpApiCall(gomock.Any()).Return(http.StatusOK, `{"secret": null}`)
+			mockTokenProvider := mock_oauthV2.NewMockTokenProvider(ctrl)
+			mockTokenProvider.EXPECT().Identity().Return(nil)
+			oauthHandler := v2.NewOAuthHandler(mockTokenProvider,
+				v2.WithCache(v2.NewCache()),
+				v2.WithLocker(kitsync.NewPartitionRWLocker()),
+				v2.WithStats(stats.Default),
+				v2.WithLogger(logger.NewLogger().Child("MockOAuthHandler")),
+				v2.WithCpConnector(mockCpConnector),
+			)
+			statusCode, response, err := oauthHandler.FetchToken(fetchTokenParams)
+			Expect(statusCode).To(Equal(http.StatusInternalServerError))
+			var expectedResponse *v2.AuthResponse
+			Expect(response).To(Equal(expectedResponse))
+			Expect(err).To(MatchError(fmt.Errorf("empty secret received from CP")))
+		})
 	})
 
 	Describe("Test RefreshToken function", func() {
