From bdac7a6640665fd0cc5d6f2ce2dd4b8338d842b8 Mon Sep 17 00:00:00 2001
From: Br1an67 <932039080@qq.com>
Date: Fri, 6 Mar 2026 16:41:34 +0000
Subject: [PATCH] fix: filter empty strings from allowed groups

When parsing allowed groups from configuration (e.g., via environment
variable OAUTH2_PROXY_ALLOWED_GROUPS), viper may include empty
strings in the parsed slice when trailing commas are present
(e.g., "group2," becomes ["group2", ""]).

The setAllowedGroups function now filters out empty strings before
adding them to the AllowedGroups map, ensuring that only valid group
names are checked during authorization.

Fixes #3123
---
 providers/provider_data.go         |  4 +++-
 providers/provider_default_test.go | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/providers/provider_data.go b/providers/provider_data.go
index 95de5c50..92598793 100644
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@@ -179,7 +179,9 @@ func regexpForRule(rule options.URLParameterRule) string {
 func (p *ProviderData) setAllowedGroups(groups []string) {
 	p.AllowedGroups = make(map[string]struct{}, len(groups))
 	for _, group := range groups {
-		p.AllowedGroups[group] = struct{}{}
+		if group != "" {
+			p.AllowedGroups[group] = struct{}{}
+		}
 	}
 }
 
diff --git a/providers/provider_default_test.go b/providers/provider_default_test.go
index 0fbe7abd..9370cdca 100644
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@@ -102,6 +102,18 @@ func TestProviderDataAuthorize(t *testing.T) {
 			groups:        []string{"baz", "foo"},
 			expectedAuthZ: false,
 		},
+		{
+			name:          "AllowedGroupsWithEmptyString",
+			allowedGroups: []string{"group2", ""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
+		{
+			name:          "AllowedGroupsOnlyEmptyString",
+			allowedGroups: []string{""},
+			groups:        []string{"group1", "group2"},
+			expectedAuthZ: true,
+		},
 	}
 
 	for _, tc := range testCases {