ydb-platform · StekPerepolnen · Jan 24, 2025 · Jan 14, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_impersonate_start_page_nebius.cpp
@@ -69,14 +69,23 @@ void THandlerImpersonateStart::RequestImpersonatedToken(TString& sessionToken, T
 void THandlerImpersonateStart::ProcessImpersonatedToken(const NJson::TJsonValue& jsonValue) {
     const NJson::TJsonValue* jsonImpersonatedToken;
     const NJson::TJsonValue* jsonExpiresIn;
+    TString impersonatedToken;
+    unsigned long long expiresIn;
     if (!jsonValue.GetValuePointer("impersonation", &jsonImpersonatedToken)) {
-        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: impersonation not found");
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: `impersonation` not found");
+    }
+    if (!jsonImpersonatedToken->GetString(&impersonatedToken)) {
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: failed to extract `impersonation`");
     }
     if (!jsonValue.GetValuePointer("expires_in", &jsonExpiresIn)) {
-        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: expires_in not found");
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: `expires_in` not found");
+    }
+    if (!jsonExpiresIn->GetUInteger(&expiresIn)) {
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: failed to extract `expires_in`");
+    }
+    if (expiresIn > std::numeric_limits<i32>::max()) {
+        expiresIn = std::numeric_limits<i32>::max();
     }
-    TString impersonatedToken = jsonImpersonatedToken->GetStringRobust();
-    long long expiresIn = jsonExpiresIn->GetIntegerRobust();
     TString impersonatedCookieName = CreateNameImpersonatedCookie(Settings.ClientId);
     TString impersonatedCookieValue = Base64Encode(impersonatedToken);
     BLOG_D("Set impersonated cookie: (" << impersonatedCookieName << ": " << NKikimr::MaskTicket(impersonatedCookieValue) << ")");

diff --git a/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp b/ydb/mvp/oidc_proxy/oidc_session_create_nebius.cpp
@@ -36,14 +36,23 @@ void THandlerSessionCreateNebius::RequestSessionToken(const TString& code) {
 void THandlerSessionCreateNebius::ProcessSessionToken(const NJson::TJsonValue& jsonValue) {
     const NJson::TJsonValue* jsonAccessToken;
     const NJson::TJsonValue* jsonExpiresIn;
+    TString sessionToken;
+    unsigned long long expiresIn;
     if (!jsonValue.GetValuePointer("access_token", &jsonAccessToken)) {
-        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: access_token not found");
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: `access_token` not found");
+    }
+    if (!jsonAccessToken->GetString(&sessionToken)) {
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: failed to extract `access_token`");
     }
     if (!jsonValue.GetValuePointer("expires_in", &jsonExpiresIn)) {
-        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: expires_in not found");
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: `expires_in` not found");
+    }
+    if (!jsonExpiresIn->GetUInteger(&expiresIn)) {
+        return ReplyBadRequestAndPassAway("Wrong OIDC provider response: failed to extract `expires_in`");
+    }
+    if (expiresIn > std::numeric_limits<i32>::max()) {
+        expiresIn = std::numeric_limits<i32>::max();
     }
-    TString sessionToken = jsonAccessToken->GetStringRobust();
-    long long expiresIn = jsonExpiresIn->GetIntegerRobust();
     TString sessionCookieName = CreateNameSessionCookie(Settings.ClientId);
     TString sessionCookieValue = Base64Encode(sessionToken);
     BLOG_D("Set session cookie: (" << sessionCookieName << ": " << NKikimr::MaskTicket(sessionCookieValue) << ")");

diff --git a/ydb/mvp/oidc_proxy/oidc_session_create_yandex.cpp b/ydb/mvp/oidc_proxy/oidc_session_create_yandex.cpp
@@ -52,7 +52,7 @@ void THandlerSessionCreateYandex::ProcessSessionToken(const NJson::TJsonValue& j
     SetHeader(meta, "authorization", token);
     meta.Timeout = TDuration::Seconds(10);
 
-    NActors::TActorSystem* actorSystem = TlsActivationContext->ActorSystem();
+    NActors::TActorSystem* actorSystem = TActivationContext::ActorSystem();
     NActors::TActorId actorId = SelfId();
     NYdbGrpc::TResponseCallback<yandex::cloud::priv::oauth::v1::CreateSessionResponse> responseCb =
         [actorId, actorSystem](NYdbGrpc::TGrpcStatus&& status, yandex::cloud::priv::oauth::v1::CreateSessionResponse&& response) -> void {