github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-23 18:40:38 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

UX: Ignore name parameter from IDP when it is equal to email (#8869)

Browse Source 
Some auth providers (e.g. Auth0 with default configuration) send the email address in the name field. In Discourse, the name field is made public, so this commit adds a safeguard to prevent emails being made public.
This commit is contained in:
David Taylor 2020-02-05 16:03:18 +00:00 committed by GitHub
parent 98303ee645
commit 88779d849f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/auth/managed_authenticator.rb
View File

@ -92,6 +92,11 @@ class Auth::ManagedAuthenticator < Auth::Authenticator
info = auth_token[:info]
result.email = info[:email]
result.name = (info[:first_name] && info[:last_name]) ? "#{info[:first_name]} #{info[:last_name]}" : info[:name]
if result.name.present? && result.name == result.email
# Some IDPs send the email address in the name parameter (e.g. Auth0 with default configuration)
# We add some generic protection here, so that users don't accidently make their email addresses public
result.name = nil
end
result.username = info[:nickname]
result.email_valid = primary_email_verified?(auth_token) if result.email
result.extra_data = {

14
spec/components/auth/managed_authenticator_spec.rb
View File

@ -12,7 +12,7 @@ describe Auth::ManagedAuthenticator do
}
let(:hash) {
{
OmniAuth::AuthHash.new(
provider: "myauth",
uid: "1234",
info: {
@ -28,14 +28,14 @@ describe Auth::ManagedAuthenticator do
randominfo: "some info"
}
}
}
)
}
let(:create_hash) {
{
OmniAuth::AuthHash.new(
provider: "myauth",
uid: "1234"
}
)
}
describe 'after_authenticate' do
@ -151,6 +151,12 @@ describe Auth::ManagedAuthenticator do
expect(UserAssociatedAccount.last.user).to eq(nil)
expect(UserAssociatedAccount.last.info["nickname"]).to eq("IAmGroot")
end
it 'will ignore name when equal to email' do
result = authenticator.after_authenticate(hash.deep_merge(info: { name: hash.info.email }))
expect(result.email).to eq(hash.info.email)
expect(result.name).to eq(nil)
end
end
describe "avatar on update" do