From b7ebf9c3fd2c5109f7b94900b7dcbbc9c10fd053 Mon Sep 17 00:00:00 2001
From: tnantoka <tnantoka@bornneet.com>
Date: Wed, 10 Jun 2026 11:38:54 +0900
Subject: [PATCH] Fix NoMethodError when email domain is nil

---
 .../microsoft_graph/domain_verifier.rb         |  2 +-
 .../microsoft_graph/domain_verifier_spec.rb    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/microsoft_graph/domain_verifier.rb b/lib/omniauth/microsoft_graph/domain_verifier.rb
index a34b373..f9c7675 100644
--- a/lib/omniauth/microsoft_graph/domain_verifier.rb
+++ b/lib/omniauth/microsoft_graph/domain_verifier.rb
@@ -37,7 +37,7 @@ def verify!
         # This means while it's not suitable for consistently identifying a user
         # (the domain might change), it is suitable for verifying membership in
         # a given domain.
-        return true if email_domain.casecmp?(upn_domain) ||
+        return true if email_domain&.casecmp?(upn_domain) ||
           skip_verification == true ||
           (skip_verification.is_a?(Array) && skip_verification.include?(email_domain)) ||
           domain_verified_jwt_claim
diff --git a/spec/omniauth/microsoft_graph/domain_verifier_spec.rb b/spec/omniauth/microsoft_graph/domain_verifier_spec.rb
index a958b9b..3e3a414 100644
--- a/spec/omniauth/microsoft_graph/domain_verifier_spec.rb
+++ b/spec/omniauth/microsoft_graph/domain_verifier_spec.rb
@@ -47,6 +47,24 @@
       it { is_expected.to be_truthy }
     end
 
+    context 'when the email is missing (e.g. a personal Microsoft account)' do
+      let(:email) { nil }
+
+      context 'when domain validation is disabled' do
+        let(:options) { super().merge(skip_domain_verification: true) }
+
+        it { is_expected.to be_truthy }
+      end
+
+      context 'when all verification strategies fail' do
+        before { allow(access_token).to receive(:get).and_raise(::OAuth2::Error.new('whoops')) }
+
+        it 'raises a DomainVerificationError' do
+          expect { result }.to raise_error OmniAuth::MicrosoftGraph::DomainVerificationError
+        end
+      end
+    end
+
     context 'when the ID token indicates domain verification' do
       let(:mock_oidc_key) do
         optional_parameters = { kid: 'mock_oidc_key', use: 'sig', alg: 'RS256' }