mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 03:05:57 +08:00
SECURITY: Ensure oAuth authenticated email is the same as created user's email.
This commit is contained in:
parent
465660bdfc
commit
5cd680b0be
|
@ -21,7 +21,10 @@ class UserAuthenticator
|
||||||
end
|
end
|
||||||
|
|
||||||
def finish
|
def finish
|
||||||
authenticator.after_create_account(@user, @session) if authenticator
|
if authenticator && authenticated?
|
||||||
|
authenticator.after_create_account(@user, @session)
|
||||||
|
end
|
||||||
|
|
||||||
@session = nil
|
@session = nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
36
spec/components/auth/user_authenticator_spec.rb
Normal file
36
spec/components/auth/user_authenticator_spec.rb
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe UserAuthenticator do
|
||||||
|
let(:user) { Fabricate(:user, email: 'test@discourse.org') }
|
||||||
|
|
||||||
|
describe "#finish" do
|
||||||
|
before do
|
||||||
|
SiteSetting.enable_google_oauth2_logins = true
|
||||||
|
end
|
||||||
|
|
||||||
|
it "should execute provider's callback" do
|
||||||
|
user.update!(email: 'test@gmail.com')
|
||||||
|
|
||||||
|
authenticator = UserAuthenticator.new(user, { authentication: {
|
||||||
|
authenticator_name: Auth::GoogleOAuth2Authenticator.new.name,
|
||||||
|
email: user.email,
|
||||||
|
email_valid: true,
|
||||||
|
extra_data: { google_user_id: 1 }
|
||||||
|
}})
|
||||||
|
|
||||||
|
expect { authenticator.finish }.to change { GoogleUserInfo.count }.by(1)
|
||||||
|
end
|
||||||
|
|
||||||
|
describe "when session's email is different from user's email" do
|
||||||
|
it "should not execute provider's callback" do
|
||||||
|
authenticator = UserAuthenticator.new(user, { authentication: {
|
||||||
|
authenticator_name: Auth::GoogleOAuth2Authenticator.new.name,
|
||||||
|
email: 'test@gmail.com',
|
||||||
|
email_valid: true
|
||||||
|
}})
|
||||||
|
|
||||||
|
expect { authenticator.finish }.to_not change { GoogleUserInfo.count }
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -614,6 +614,9 @@ describe UsersController do
|
||||||
auth = session[:authentication] = {}
|
auth = session[:authentication] = {}
|
||||||
auth[:authenticator_name] = 'twitter'
|
auth[:authenticator_name] = 'twitter'
|
||||||
auth[:extra_data] = twitter_auth
|
auth[:extra_data] = twitter_auth
|
||||||
|
auth[:email_valid] = true
|
||||||
|
auth[:email] = @user.email
|
||||||
|
|
||||||
TwitterUserInfo.expects(:create)
|
TwitterUserInfo.expects(:create)
|
||||||
|
|
||||||
post_user
|
post_user
|
||||||
|
|
Loading…
Reference in New Issue
Block a user