Skip to content

fix(auth): prevent crash when Google OAuth email is missing #3952

Open
KanhaiyaPandey wants to merge 1 commit intoprocessing:developfrom
KanhaiyaPandey:fix/google-oauth-email-validation
Open

fix(auth): prevent crash when Google OAuth email is missing #3952
KanhaiyaPandey wants to merge 1 commit intoprocessing:developfrom
KanhaiyaPandey:fix/google-oauth-email-validation

Conversation

@KanhaiyaPandey
Copy link

@KanhaiyaPandey KanhaiyaPandey commented Feb 28, 2026

Summary

Fixes an issue in the Google OAuth strategy where the code directly accessed
profile._json.emails[0].value without validating that emails exists and
contains at least one entry.

If Google does not return an email array, this results in:
TypeError: Cannot read property '0' of undefined

This PR adds proper validation and ensures the OAuth flow fails gracefully
instead of crashing.

Changes

  • Added safe check for profile.emails (or _json.emails) before accessing index 0
  • Extracted email into a primaryEmail variable
  • If no email is found, return:
    done(null, false, { msg: 'Google account does not provide an email address.' })
  • Replaced all direct usages of profile._json.emails[0].value

Why This Is Needed

Google does not guarantee that the emails array will be present
(depending on scopes, account type, or privacy settings).
Without validation, the OAuth flow crashes instead of failing gracefully.

Testing

  • Mocked a Google profile without emails
  • Confirmed OAuth flow no longer throws a TypeError
  • Verified user-friendly failure message is returned instead

Closes #3907

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Google OAuth: missing email array validation

1 participant

@KanhaiyaPandey