From 77c507000b805fdfdde4d8111f20816188c62365 Mon Sep 17 00:00:00 2001 From: boskodev790 Date: Mon, 27 Apr 2026 02:41:21 -0500 Subject: [PATCH] :bug: Fix LDAP schema typo bind-passwor -> bind-password (#9165) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The malli schema for the LDAP provider params (`schema:params` in `backend/src/app/auth/ldap.clj`) declared the bind-password slot as `:bind-passwor` (missing trailing `d`). The runtime code in the same file uses `:bind-password` everywhere — `prepare-params` reads `(:bind-password cfg)` on line 21 and `try-connectivity` reads `(:bind-password cfg)` on line 89. Effects of the typo: 1. The schema slot for `:bind-password` is missing, so a wrong type (e.g. a number or vector instead of a string) for the actual key slips through `check-params` unvalidated. Malli `[:map ...]` is open by default, so the genuine `:bind-password` key is silently accepted as an unknown extra key. 2. Anyone reading the schema (operator, future contributor, or tooling generating docs) sees a non-existent `:bind-passwor` parameter and could legitimately set that key — schema would accept it, runtime would never read it, LDAP bind would silently fail with a confusing "no password" error. Cross-checked against the pre-malli `clojure.spec` shape removed in commit 88fb5e7ab (2024-10-29, ":recycle: Update integrant to latest version", which carried the spec→malli migration). The deleted spec defined `(s/def ::bind-password ::us/string)` correctly — the typo was introduced when re-typing the keys into the new malli vector-of- tuples form. Add a CHANGES.md entry under the 2.17.0 Unreleased :bug: Bugs fixed section. One-character fix. Signed-off-by: Andrey Antukh Co-authored-by: Andrey Antukh --- CHANGES.md | 1 + backend/src/app/auth/ldap.clj | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index e42246aa45..5482c07b95 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -50,6 +50,7 @@ ### :bug: Bugs fixed +- Fix LDAP provider params schema typo (`bind-passwor` → `bind-password`) introduced during the `clojure.spec` → `malli` migration; the schema slot now matches the runtime key actually read by `prepare-params` (`:password (:bind-password cfg)`) and `try-connectivity` (`(:bind-password cfg)`), so a wrong type for the password no longer slips through unvalidated - Fix `login-with-ldap` silently dropping its error message on the `ldap-not-initialized` restriction (typo `:hide` → `:hint`); the message `"ldap auth provider is not initialized"` now actually surfaces in logs and error responses instead of being discarded into an unread key - Fix `PENPOT_OIDC_USER_INFO_SOURCE` flag being silently ignored (`userinfo` / `token`) in the OIDC callback, causing "incomplete user info" failures during registration [Github #9108](https://github.com/penpot/penpot/issues/9108) - Fix `get-view-only-bundle` crashing when a share-link viewer encounters a team member whose email lacks `@` (NullPointerException in `obfuscate-email`) or whose domain has no `.` (previously produced a dangling-dot `****@****.`); now the viewer-side obfuscation is nil-safe and omits the trailing dot when the domain has no TLD diff --git a/backend/src/app/auth/ldap.clj b/backend/src/app/auth/ldap.clj index 63b7c93672..687a10dd4d 100644 --- a/backend/src/app/auth/ldap.clj +++ b/backend/src/app/auth/ldap.clj @@ -111,7 +111,7 @@ [:host {:optional true} :string] [:port {:optional true} ::sm/int] [:bind-dn {:optional true} :string] - [:bind-passwor {:optional true} :string] + [:bind-password {:optional true} :string] [:query {:optional true} :string] [:base-dn {:optional true} :string] [:attrs-email {:optional true} :string]