FIX: protect against future regressions of google omniauth

2025-01-30 04:23:01 +08:00 · 2016-11-07 12:48:00 +11:00 · 2016-11-07 12:48:00 +11:00 · 2ddabc3928
commit 2ddabc3928
parent 6a720b6011
2 changed files with 34 additions and 4 deletions
--- a/lib/auth/google_oauth2_authenticator.rb
+++ b/lib/auth/google_oauth2_authenticator.rb
@ -18,8 +18,11 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
    user_info = GoogleUserInfo.find_by(google_user_id: google_hash[:google_user_id])
    result.user = user_info.try(:user)

-    if !result.user && !result.email.blank? && result.user = User.find_by_email(result.email)
-      GoogleUserInfo.create({user_id: result.user.id}.merge(google_hash))
+    if !result.user && !result.email.blank? && result.email_valid
+      result.user = User.find_by_email(result.email)
+      if result.user
+        GoogleUserInfo.create({user_id: result.user.id}.merge(google_hash))
+      end
    end

    result
--- a/spec/components/auth/google_oauth2_authenticator_spec.rb
+++ b/spec/components/auth/google_oauth2_authenticator_spec.rb
@ -6,9 +6,36 @@ load 'auth/google_oauth2_authenticator.rb'

 describe Auth::GoogleOAuth2Authenticator do

+  it 'does not look up user unless email is verified' do
+    # note, emails that come back from google via omniauth are always valid
+    # this protects against future regressions
+
+    authenticator = Auth::GoogleOAuth2Authenticator.new
+    user = Fabricate(:user)
+
+    hash = {
+      :uid => "123456789",
+      :info => {
+          :name => "John Doe",
+          :email => user.email
+      },
+      :extra => {
+        :raw_info => {
+          :email => user.email,
+          :email_verified => false,
+          :name => "John Doe"
+        }
+      }
+    }
+
+    result = authenticator.after_authenticate(hash)
+
+    expect(result.user).to eq(nil)
+  end
+
  context 'after_authenticate' do
    it 'can authenticate and create a user record for already existing users' do
-      authenticator = described_class.new
+      authenticator = Auth::GoogleOAuth2Authenticator.new
      user = Fabricate(:user)

      hash = {
@ -19,7 +46,7 @@ describe Auth::GoogleOAuth2Authenticator do
        },
        :extra => {
          :raw_info => {
-            :email => "user@domain.example.com",
+            :email => user.email,
            :email_verified => true,
            :name => "John Doe"
          }