discourse/app/controllers/users/omniauth_callbacks_controller.rb

# -*- encoding : utf-8 -*-
require_dependency 'email'
require_dependency 'enum'
require_dependency 'user_name_suggester'

class Users::OmniauthCallbacksController < ApplicationController

  skip_before_action :redirect_to_login_if_required

  layout 'no_ember'

  # need to be able to call this
  skip_before_action :check_xhr

  # this is the only spot where we allow CSRF, our openid / oauth redirect
  # will not have a CSRF token, however the payload is all validated so its safe
  skip_before_action :verify_authenticity_token, only: :complete

  def complete
    auth = request.env["omniauth.auth"]
    raise Discourse::NotFound unless request.env["omniauth.auth"]

    auth[:session] = session

    authenticator = self.class.find_authenticator(params[:provider])
    provider = DiscoursePluginRegistry.auth_providers.find { |p| p.name == params[:provider] }

    if authenticator.can_connect_existing_user? && current_user
      @auth_result = authenticator.after_authenticate(auth, existing_account: current_user)
    else
      @auth_result = authenticator.after_authenticate(auth)
    end

    origin = request.env['omniauth.origin']

    if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
      origin = session_sso_provider_url + "?" + payload
    elsif cookies[:destination_url].present?
      origin = cookies[:destination_url]
      cookies.delete(:destination_url)
    end

    if origin.present?
      parsed = begin
        URI.parse(origin)
      rescue URI::Error
      end

      if parsed
        @origin = "#{parsed.path}?#{parsed.query}"
      end
    end

    if @origin.blank?
      @origin = Discourse.base_uri("/")
    else
      @auth_result.destination_url = origin
    end

    if @auth_result.failed?
      flash[:error] = @auth_result.failed_reason.html_safe
      return render('failure')
    else
      @auth_result.authenticator_name = authenticator.name
      complete_response_data

      if (provider && provider.full_screen_login) || cookies['fsl']
        cookies.delete('fsl')
        cookies['_bypass_cache'] = true
        flash[:authentication_data] = @auth_result.to_client_hash.to_json
        redirect_to @origin
      else
        respond_to do |format|
          format.html
          format.json { render json: @auth_result.to_client_hash }
        end
      end
    end
  end

  def failure
    flash[:error] = I18n.t("login.omniauth_error")
    render 'failure'
  end

  def self.find_authenticator(name)
    Discourse.enabled_authenticators.each do |authenticator|
      return authenticator if authenticator.name == name
    end
    raise Discourse::InvalidAccess.new(I18n.t('authenticator_not_found'))
  end

  protected

  def complete_response_data
    if @auth_result.user
      user_found(@auth_result.user)
    elsif SiteSetting.invite_only?
      @auth_result.requires_invite = true
    else
      session[:authentication] = @auth_result.session_data
    end
  end

  def user_found(user)
    if user.totp_enabled?
      @auth_result.omniauth_disallow_totp = true
      @auth_result.email = user.email
      return
    end

    # automatically activate/unstage any account if a provider marked the email valid
    if @auth_result.email_valid && @auth_result.email == user.email
      user.unstage
      user.save

      # ensure there is an active email token
      unless EmailToken.where(email: user.email, confirmed: true).exists? ||
        user.email_tokens.active.where(email: user.email).exists?

        user.email_tokens.create!(email: user.email)
      end

      user.activate
      user.update!(registration_ip_address: request.remote_ip) if user.registration_ip_address.blank?
    end

    if ScreenedIpAddress.should_block?(request.remote_ip)
      @auth_result.not_allowed_from_ip_address = true
    elsif ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
      @auth_result.admin_not_allowed_from_ip_address = true
    elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access
      log_on_user(user)
      Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
      session[:authentication] = nil # don't carry around old auth info, perhaps move elsewhere
      @auth_result.authenticated = true
    else
      if SiteSetting.must_approve_users? && !user.approved?
        @auth_result.awaiting_approval = true
      else
        @auth_result.awaiting_activation = true
      end
    end
  end

end
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00			`# -- encoding : utf-8 --`
			`require_dependency 'email'`
Check when logging in whether a auth provider is enabled, including specs 2013-03-05 02:44:41 +08:00			`require_dependency 'enum'`
Refactored user_name suggestion methods into a module to reduce the complexity of User model 2013-06-06 22:40:10 +08:00			`require_dependency 'user_name_suggester'`
Check when logging in whether a auth provider is enabled, including specs 2013-03-05 02:44:41 +08:00
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00			`class Users::OmniauthCallbacksController < ApplicationController`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 12:06:56 +08:00			`skip_before_action :redirect_to_login_if_required`
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00
UX: Use `no_ember` styling for omniauth error page 2017-11-16 03:04:26 +08:00			`layout 'no_ember'`
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00
			`# need to be able to call this`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 12:06:56 +08:00			`skip_before_action :check_xhr`
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00
SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 13:13:13 +08:00			`# this is the only spot where we allow CSRF, our openid / oauth redirect`
			`# will not have a CSRF token, however the payload is all validated so its safe`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 12:06:56 +08:00			`skip_before_action :verify_authenticity_token, only: :complete`
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00
			`def complete`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00			`auth = request.env["omniauth.auth"]`
FIX: Return a 404 if the auth session is not present 2017-05-05 03:35:03 +08:00			`raise Discourse::NotFound unless request.env["omniauth.auth"]`

add session to auth hash in oauth complete method 2013-11-20 01:58:12 +08:00			`auth[:session] = session`
working plugin interface for custom openid auth, custom css and custom js 2013-08-01 13:59:57 +08:00
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00			`authenticator = self.class.find_authenticator(params[:provider])`
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 23:51:57 +08:00			`provider = DiscoursePluginRegistry.auth_providers.find { \|p\| p.name == params[:provider] }`
Check when logging in whether a auth provider is enabled, including specs 2013-03-05 02:44:41 +08:00
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 23:51:57 +08:00			`if authenticator.can_connect_existing_user? && current_user`
			`@auth_result = authenticator.after_authenticate(auth, existing_account: current_user)`
			`else`
			`@auth_result = authenticator.after_authenticate(auth)`
			`end`
working plugin interface for custom openid auth, custom css and custom js 2013-08-01 13:59:57 +08:00
FEATURE: allow auto provider to specify "full screen login" this feature means we attempt to log in without opening a frame. 2015-10-13 09:23:34 +08:00			`origin = request.env['omniauth.origin']`
FIX: redirect to original URL after social login 2018-01-27 01:52:27 +08:00
FIX: redirect users to SSO client URL after social login 2018-10-05 02:31:08 +08:00			`if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)`
			`origin = session_sso_provider_url + "?" + payload`
			`elsif cookies[:destination_url].present?`
FIX: redirects back to origin for SSO and omniauth login 2016-09-16 11:48:50 +08:00			`origin = cookies[:destination_url]`
			`cookies.delete(:destination_url)`
			`end`

FEATURE: allow auto provider to specify "full screen login" this feature means we attempt to log in without opening a frame. 2015-10-13 09:23:34 +08:00			`if origin.present?`
Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions. 2018-03-28 16:20:08 +08:00			`parsed = begin`
			`URI.parse(origin)`
FIX: store the topic links using the cooked upload url 2018-08-14 18:23:32 +08:00			`rescue URI::Error`
Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions. 2018-03-28 16:20:08 +08:00			`end`

FEATURE: allow auto provider to specify "full screen login" this feature means we attempt to log in without opening a frame. 2015-10-13 09:23:34 +08:00			`if parsed`
FIX: redirects back to origin for SSO and omniauth login 2016-09-16 11:48:50 +08:00			`@origin = "#{parsed.path}?#{parsed.query}"`
FEATURE: allow auto provider to specify "full screen login" this feature means we attempt to log in without opening a frame. 2015-10-13 09:23:34 +08:00			`end`
			`end`

FIX: redirect to original URL after social login 2018-01-27 01:52:27 +08:00			`if @origin.blank?`
Revert "FIX: If login is required, redirect to the `/login` route instead of root" This reverts commit 8a8dec550b2eaffa402968bf0bbd0d681fe0a805. 2017-05-26 02:04:28 +08:00			`@origin = Discourse.base_uri("/")`
FIX: redirect to original URL after social login 2018-01-27 01:52:27 +08:00			`else`
			`@auth_result.destination_url = origin`
FEATURE: allow auto provider to specify "full screen login" this feature means we attempt to log in without opening a frame. 2015-10-13 09:23:34 +08:00			`end`

Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`if @auth_result.failed?`
			`flash[:error] = @auth_result.failed_reason.html_safe`
			`return render('failure')`
			`else`
			`@auth_result.authenticator_name = authenticator.name`
			`complete_response_data`
clean up implementation of non frame login / registration 2015-10-13 11:49:09 +08:00
we do not define auth providers for builtins 2016-08-29 09:12:24 +08:00			`if (provider && provider.full_screen_login) \|\| cookies['fsl']`
FIX: fullscreen login set from client needs to be respected 2016-08-29 08:13:32 +08:00			`cookies.delete('fsl')`
FIX: Use a cookie to bypass the anon cache 2015-10-29 05:16:56 +08:00			`cookies['_bypass_cache'] = true`
clean up implementation of non frame login / registration 2015-10-13 11:49:09 +08:00			`flash[:authentication_data] = @auth_result.to_client_hash.to_json`
			`redirect_to @origin`
			`else`
			`respond_to do \|format\|`
			`format.html`
			`format.json { render json: @auth_result.to_client_hash }`
			`end`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`end`
Use AJAX for submitting Persona credentials. Fixes issue with needing to unblock popups. 2013-03-02 03:22:54 +08:00			`end`
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00			`end`

This commit adds a callback route to handle omniauth failure and removes a few unneccessary entries in en.yml 2013-02-15 03:11:13 +08:00			`def failure`
SECURITY: don't echo the "strategy" param returned by auto provider 2015-01-06 13:28:29 +08:00			`flash[:error] = I18n.t("login.omniauth_error")`
UX: Use `no_ember` styling for omniauth error page 2017-11-16 03:04:26 +08:00			`render 'failure'`
This commit adds a callback route to handle omniauth failure and removes a few unneccessary entries in en.yml 2013-02-15 03:11:13 +08:00			`end`

major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00			`def self.find_authenticator(name)`
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 23:51:57 +08:00			`Discourse.enabled_authenticators.each do \|authenticator\|`
			`return authenticator if authenticator.name == name`
Authenticate with Discourse via OAuth2 See https://github.com/michaelkirk/discourse_oauth2_example for an example of how you might integrate your existing oauth2 provider's authentication via a Discourse plugin. 2013-08-18 12:43:59 +08:00			`end`
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 23:51:57 +08:00			`raise Discourse::InvalidAccess.new(I18n.t('authenticator_not_found'))`
move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00			`end`

major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00			`protected`
Added Github authentication option, disabled by default with enable options in settings. 2013-02-26 12:28:32 +08:00
Refactor omniauth_callbacks_controller for extensibility 2014-10-01 00:24:22 +08:00			`def complete_response_data`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`if @auth_result.user`
			`user_found(@auth_result.user)`
Refactor omniauth_callbacks_controller for extensibility 2014-10-01 00:24:22 +08:00			`elsif SiteSetting.invite_only?`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`@auth_result.requires_invite = true`
Refactor omniauth_callbacks_controller for extensibility 2014-10-01 00:24:22 +08:00			`else`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`session[:authentication] = @auth_result.session_data`
Refactor omniauth_callbacks_controller for extensibility 2014-10-01 00:24:22 +08:00			`end`
			`end`

major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00			`def user_found(user)`
FEATURE: Disallow login via omniauth when user has 2FA enabled. 2018-03-01 15:47:07 +08:00			`if user.totp_enabled?`
			`@auth_result.omniauth_disallow_totp = true`
FIX: Use user account email instead of auth email when totp is enabled. https://meta.discourse.org/t/github-2fa-flow-broken/88674 2018-05-30 12:14:04 +08:00			`@auth_result.email = user.email`
FEATURE: Disallow login via omniauth when user has 2FA enabled. 2018-03-01 15:47:07 +08:00			`return`
			`end`

FIX: automatically unstage user when signing in using OAuth 2016-04-05 01:04:10 +08:00			`# automatically activate/unstage any account if a provider marked the email valid`
FIX: Don't mark user as `active` if verified email is different. 2017-03-01 11:58:24 +08:00			`if @auth_result.email_valid && @auth_result.email == user.email`
FIX: always unstage users when they log in 2018-05-13 23:00:02 +08:00			`user.unstage`
			`user.save`
REFACTOR: Prefer `exists?` over `present`. 2018-03-01 10:22:41 +08:00
FIX: always confirm emails when SSO says so 2017-06-08 07:05:33 +08:00			`# ensure there is an active email token`
REFACTOR: Prefer `exists?` over `present`. 2018-03-01 10:22:41 +08:00			`unless EmailToken.where(email: user.email, confirmed: true).exists? \|\|`
			`user.email_tokens.active.where(email: user.email).exists?`

			`user.email_tokens.create!(email: user.email)`
			`end`

FIX: confirm email token for user created via social login 2017-04-13 02:29:32 +08:00			`user.activate`
FIX: save registration_ip_address for staged users logging in via social auth 2017-12-12 20:08:57 +08:00			`user.update!(registration_ip_address: request.remote_ip) if user.registration_ip_address.blank?`
Fixed GitHub auth, GitHub can provide us with a valid email - so automatically log in for those cases 2013-08-02 10:03:53 +08:00			`end`

UX: improve message when admin login is blocked because of admin ip address whitelisting 2015-03-03 01:13:10 +08:00			`if ScreenedIpAddress.should_block?(request.remote_ip)`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`@auth_result.not_allowed_from_ip_address = true`
UX: improve message when admin login is blocked because of admin ip address whitelisting 2015-03-03 01:13:10 +08:00			`elsif ScreenedIpAddress.block_admin_login?(user, request.remote_ip)`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`@auth_result.admin_not_allowed_from_ip_address = true`
FEATURE: restrict admin access based on IP address 2014-09-05 06:50:27 +08:00			`elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 14:20:43 +08:00			`log_on_user(user)`
Invite link can't be used to log in after you set a password or sign in with 3rd party 2014-01-22 05:53:46 +08:00			`Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore`
			`session[:authentication] = nil # don't carry around old auth info, perhaps move elsewhere`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`@auth_result.authenticated = true`
Add basic Persona functionality 1. No session integration yet, so automatic login/logout events are suppressed. 2. Popup blockers must be disabled: submits form to target="_blank" 2013-03-01 23:23:21 +08:00			`else`
invite only forums had very wonky logic, invited users were not being activated, invite_only forums were still registering users 2013-08-28 15:18:31 +08:00			`if SiteSetting.must_approve_users? && !user.approved?`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`@auth_result.awaiting_approval = true`
remove duplicate code 2013-07-11 14:02:18 +08:00			`else`
Better support for passing up errors when OmniAuth fails after auth 2015-06-25 00:12:43 +08:00			`@auth_result.awaiting_activation = true`
remove duplicate code 2013-07-11 14:02:18 +08:00			`end`
			`end`
			`end`

move all logic to omniauth implement omniauth-facebook / omniauth-twitter 2013-02-12 21:47:22 +08:00			`end`