From 244f9e0c114b84dbcdda7357b5fdf867d0fbfc2d Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Mar 2026 14:53:03 +0800
Subject: [PATCH] fix: handle null email/name from GitHub API for private-email
 users (#33882)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com>
Co-authored-by: QuantumGhost <obelisk.reg+git@gmail.com>
---
 api/controllers/console/auth/oauth.py         |  4 ++
 api/libs/oauth.py                             | 27 ++++++---
 .../unit_tests/libs/test_oauth_clients.py     | 57 ++++++++++++++++---
 3 files changed, 73 insertions(+), 15 deletions(-)

diff --git a/api/controllers/console/auth/oauth.py b/api/controllers/console/auth/oauth.py
index 112e152432..5c9023f27b 100644
--- a/api/controllers/console/auth/oauth.py
+++ b/api/controllers/console/auth/oauth.py
@@ -1,4 +1,5 @@
 import logging
+import urllib.parse
 
 import httpx
 from flask import current_app, redirect, request
@@ -112,6 +113,9 @@ class OAuthCallback(Resource):
                 error_text = e.response.text
             logger.exception("An error occurred during the OAuth process with %s: %s", provider, error_text)
             return {"error": "OAuth process failed"}, 400
+        except ValueError as e:
+            logger.warning("OAuth error with %s", provider, exc_info=True)
+            return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message={urllib.parse.quote(str(e))}")
 
         if invite_token and RegisterService.is_valid_invite_token(invite_token):
             invitation = RegisterService.get_invitation_by_token(token=invite_token)
diff --git a/api/libs/oauth.py b/api/libs/oauth.py
index efce13f6f1..1afb42304d 100644
--- a/api/libs/oauth.py
+++ b/api/libs/oauth.py
@@ -1,16 +1,19 @@
+import logging
 import sys
 import urllib.parse
 from dataclasses import dataclass
 from typing import NotRequired
 
 import httpx
-from pydantic import TypeAdapter
+from pydantic import TypeAdapter, ValidationError
 
 if sys.version_info >= (3, 12):
     from typing import TypedDict
 else:
     from typing_extensions import TypedDict
 
+logger = logging.getLogger(__name__)
+
 JsonObject = dict[str, object]
 JsonObjectList = list[JsonObject]
 
@@ -30,8 +33,8 @@ class GitHubEmailRecord(TypedDict, total=False):
 class GitHubRawUserInfo(TypedDict):
     id: int | str
     login: str
-    name: NotRequired[str]
-    email: NotRequired[str]
+    name: NotRequired[str | None]
+    email: NotRequired[str | None]
 
 
 class GoogleRawUserInfo(TypedDict):
@@ -127,9 +130,14 @@ class GitHubOAuth(OAuth):
         response.raise_for_status()
         user_info = GITHUB_RAW_USER_INFO_ADAPTER.validate_python(_json_object(response))
 
-        email_response = httpx.get(self._EMAIL_INFO_URL, headers=headers)
-        email_info = GITHUB_EMAIL_RECORDS_ADAPTER.validate_python(_json_list(email_response))
-        primary_email = next((email for email in email_info if email.get("primary") is True), None)
+        try:
+            email_response = httpx.get(self._EMAIL_INFO_URL, headers=headers)
+            email_response.raise_for_status()
+            email_info = GITHUB_EMAIL_RECORDS_ADAPTER.validate_python(_json_list(email_response))
+            primary_email = next((email for email in email_info if email.get("primary") is True), None)
+        except (httpx.HTTPStatusError, ValidationError):
+            logger.warning("Failed to retrieve email from GitHub /user/emails endpoint", exc_info=True)
+            primary_email = None
 
         return {**user_info, "email": primary_email.get("email", "") if primary_email else ""}
 
@@ -137,8 +145,11 @@ class GitHubOAuth(OAuth):
         payload = GITHUB_RAW_USER_INFO_ADAPTER.validate_python(raw_info)
         email = payload.get("email")
         if not email:
-            email = f"{payload['id']}+{payload['login']}@users.noreply.github.com"
-        return OAuthUserInfo(id=str(payload["id"]), name=str(payload.get("name", "")), email=email)
+            raise ValueError(
+                'Dify currently not supports the "Keep my email addresses private" feature,'
+                " please disable it and login again"
+            )
+        return OAuthUserInfo(id=str(payload["id"]), name=str(payload.get("name") or ""), email=email)
 
 
 class GoogleOAuth(OAuth):
diff --git a/api/tests/unit_tests/libs/test_oauth_clients.py b/api/tests/unit_tests/libs/test_oauth_clients.py
index bc7880ccc8..3918e8ee4b 100644
--- a/api/tests/unit_tests/libs/test_oauth_clients.py
+++ b/api/tests/unit_tests/libs/test_oauth_clients.py
@@ -95,13 +95,11 @@ class TestGitHubOAuth(BaseOAuthTest):
                 ],
                 "primary@example.com",
             ),
-            # User with no emails - fallback to noreply
-            ({"id": 12345, "login": "testuser", "name": "Test User"}, [], "12345+testuser@users.noreply.github.com"),
-            # User with only secondary email - fallback to noreply
+            # User with private email (null email and name from API)
             (
-                {"id": 12345, "login": "testuser", "name": "Test User"},
-                [{"email": "secondary@example.com", "primary": False}],
-                "12345+testuser@users.noreply.github.com",
+                {"id": 12345, "login": "testuser", "name": None, "email": None},
+                [{"email": "primary@example.com", "primary": True}],
+                "primary@example.com",
             ),
         ],
     )
@@ -118,9 +116,54 @@ class TestGitHubOAuth(BaseOAuthTest):
         user_info = oauth.get_user_info("test_token")
 
         assert user_info.id == str(user_data["id"])
-        assert user_info.name == user_data["name"]
+        assert user_info.name == (user_data["name"] or "")
         assert user_info.email == expected_email
 
+    @pytest.mark.parametrize(
+        ("user_data", "email_data"),
+        [
+            # User with no emails
+            ({"id": 12345, "login": "testuser", "name": "Test User"}, []),
+            # User with only secondary email
+            (
+                {"id": 12345, "login": "testuser", "name": "Test User"},
+                [{"email": "secondary@example.com", "primary": False}],
+            ),
+            # User with private email and no primary in emails endpoint
+            (
+                {"id": 12345, "login": "testuser", "name": None, "email": None},
+                [],
+            ),
+        ],
+    )
+    @patch("httpx.get", autospec=True)
+    def test_should_raise_error_when_no_primary_email(self, mock_get, oauth, user_data, email_data):
+        user_response = MagicMock()
+        user_response.json.return_value = user_data
+
+        email_response = MagicMock()
+        email_response.json.return_value = email_data
+
+        mock_get.side_effect = [user_response, email_response]
+
+        with pytest.raises(ValueError, match="Keep my email addresses private"):
+            oauth.get_user_info("test_token")
+
+    @patch("httpx.get", autospec=True)
+    def test_should_raise_error_when_email_endpoint_fails(self, mock_get, oauth):
+        user_response = MagicMock()
+        user_response.json.return_value = {"id": 12345, "login": "testuser", "name": "Test User"}
+
+        email_response = MagicMock()
+        email_response.raise_for_status.side_effect = httpx.HTTPStatusError(
+            "Forbidden", request=MagicMock(), response=MagicMock()
+        )
+
+        mock_get.side_effect = [user_response, email_response]
+
+        with pytest.raises(ValueError, match="Keep my email addresses private"):
+            oauth.get_user_info("test_token")
+
     @patch("httpx.get", autospec=True)
     def test_should_handle_network_errors(self, mock_get, oauth):
         mock_get.side_effect = httpx.RequestError("Network error")