🎨 validate ghost profile/token response (#7761)

no issue - check if profile or access token exists when receiving the response from Ghost Auth server
TryGhost · Jan 31, 2017 · eebdfab · eebdfab
1 parent 89d4013
commit eebdfab
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/core/server/auth/auth-strategies.js b/core/server/auth/auth-strategies.js
@@ -69,14 +69,19 @@ strategies = {
      * - via invite token
      * - via normal auth
      * - via setup
-     *
-     * @TODO: validate GhostAuth profile?
      */
     ghostStrategy: function ghostStrategy(req, ghostAuthAccessToken, ghostAuthRefreshToken, profile, done) {
         var inviteToken = req.body.inviteToken,
             options = {context: {internal: true}},
             handleInviteToken, handleSetup;
 
+        // CASE: socket hangs up for example
+        if (!ghostAuthAccessToken || !profile) {
+            return done(new errors.NoPermissionError({
+                help: 'Please try again.'
+            }));
+        }
+
         handleInviteToken = function handleInviteToken() {
             var user, invite;
             inviteToken = utils.decodeBase64URLsafe(inviteToken);