Fix domain verification error handling using CallbackError

pauldruziak · pauldruziak · commit 3cf301aed26c · 2025-10-22T15:47:44.000-04:00
Changes:
- Replace custom DomainVerificationError (inheriting from OmniAuth::Error)
  with OmniAuth::Strategies::OAuth2::CallbackError
- This ensures the error is properly caught by omniauth-oauth2's
  callback_phase rescue clause instead of bubbling up as a 500 error
- Update test to expect CallbackError with :domain_verification_failed symbol

Rationale:
The omniauth-oauth2 gem's callback_phase only rescues specific error types:
  rescue ::OAuth2::Error, CallbackError =&gt; e

The previous DomainVerificationError inherited from OmniAuth::Error, which
is not in the rescue clause, causing it to bubble up as an unhandled 500 error.

By using CallbackError (the same pattern used by omniauth-google-oauth2 for
hosted domain verification), the error is automatically caught and converted
to a proper OmniAuth failure with fail!(:invalid_credentials, e).

This provides a better user experience with proper error handling and redirects
instead of 500 error pages.
diff --git a/lib/omniauth/microsoft_graph/domain_verifier.rb b/lib/omniauth/microsoft_graph/domain_verifier.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
+
 require 'jwt' # for token signature validation
-require 'omniauth' # to inherit from OmniAuth::Error
+require 'omniauth-oauth2' # to use CallbackError
 require 'oauth2' # to rescue OAuth2::Error
 
 module OmniAuth
@@ -11,8 +12,6 @@ module MicrosoftGraph
     OIDC_CONFIG_URL = 'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration'
     COMMON_JWKS_URL = 'https://login.microsoftonline.com/common/discovery/v2.0/keys'
 
-    class DomainVerificationError < OmniAuth::Error; end
-
     class DomainVerifier
       def self.verify!(auth_hash, access_token, options)
         new(auth_hash, access_token, options).verify!
@@ -41,7 +40,13 @@ def verify!
           skip_verification == true ||
           (skip_verification.is_a?(Array) && skip_verification.include?(email_domain)) ||
           domain_verified_jwt_claim
-        raise DomainVerificationError, verification_error_message
+
+        # Use CallbackError to ensure the error is properly caught by the callback_phase
+        # rescue clause and converted to an OmniAuth failure instead of bubbling up as a 500 error.
+        raise OmniAuth::Strategies::OAuth2::CallbackError.new(
+          :domain_verification_failed,
+          verification_error_message
+        )
       end
 
       private
diff --git a/spec/omniauth/microsoft_graph/domain_verifier_spec.rb b/spec/omniauth/microsoft_graph/domain_verifier_spec.rb
@@ -105,8 +105,11 @@
     context 'when all verification strategies fail' do
       before { allow(access_token).to receive(:get).and_raise(::OAuth2::Error.new('whoops')) }
 
-      it 'raises a DomainVerificationError' do
-        expect { result }.to raise_error OmniAuth::MicrosoftGraph::DomainVerificationError
+      it 'raises a CallbackError with domain_verification_failed' do
+        expect { result }.to raise_error(OmniAuth::Strategies::OAuth2::CallbackError) do |error|
+          expect(error.error).to eq(:domain_verification_failed)
+          expect(error.error_reason).to include('not a verified domain')
+        end
       end
     end
   end
