From 6c36af9f6227fb925527fefcdd78c924163eb7be Mon Sep 17 00:00:00 2001 From: Natalie Tay Date: Fri, 8 Nov 2024 11:03:17 +0800 Subject: [PATCH] DEV: Add verbose logging for google oauth (#29459) --- config/locales/server.en.yml | 1 + config/site_settings.yml | 2 ++ lib/auth/google_oauth2_authenticator.rb | 22 +++++++++++++++------- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 443cd8be33e..c1b468c272a 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -2006,6 +2006,7 @@ en: google_oauth2_hd_groups: "Retrieve users' Google groups on the hosted domain on authentication. Retrieved Google groups can be used to grant automatic Discourse group membership (see group settings). For more information see https://meta.discourse.org/t/226850" google_oauth2_hd_groups_service_account_admin_email: "An email address belonging to a Google Workspace administrator account. Will be used with the service account credentials to fetch group information." google_oauth2_hd_groups_service_account_json: "JSON formatted key information for the Service Account. Will be used to fetch group information." + google_oauth2_verbose_logging: "Log verbose Google OAuth2 related diagnostics to /logs" enable_twitter_logins: "Enable Twitter authentication, requires twitter_consumer_key and twitter_consumer_secret. See Configuring Twitter login (and rich embeds) for Discourse." twitter_consumer_key: "Consumer key for Twitter authentication, registered at https://developer.twitter.com/apps" diff --git a/config/site_settings.yml b/config/site_settings.yml index a840d6d5866..0c6abed86b4 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -494,6 +494,8 @@ login: google_oauth2_hd_groups_service_account_json: default: "" textarea: true + google_oauth2_verbose_logging: + default: false enable_twitter_logins: default: false twitter_consumer_key: diff --git a/lib/auth/google_oauth2_authenticator.rb b/lib/auth/google_oauth2_authenticator.rb index ac331cd3d84..e5f32502031 100644 --- a/lib/auth/google_oauth2_authenticator.rb +++ b/lib/auth/google_oauth2_authenticator.rb @@ -24,23 +24,31 @@ class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator options = { setup: lambda do |env| - strategy = env["omniauth.strategy"] - strategy.options[:client_id] = SiteSetting.google_oauth2_client_id - strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret + opts = env["omniauth.strategy"].options + opts[:client_id] = SiteSetting.google_oauth2_client_id + opts[:client_secret] = SiteSetting.google_oauth2_client_secret if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present? - strategy.options[:hd] = google_oauth2_hd + opts[:hd] = google_oauth2_hd end if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present? - strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ") + opts[:prompt] = google_oauth2_prompt.gsub("|", " ") + end + opts[:client_options][:connection_build] = lambda do |builder| + if SiteSetting.google_oauth2_verbose_logging + builder.response :logger, + Rails.logger, + { bodies: true, formatter: Auth::OauthFaradayFormatter } + end + builder.request :url_encoded + builder.adapter FinalDestination::FaradayAdapter end - # All the data we need for the `info` and `credentials` auth hash # are obtained via the user info API, not the JWT. Using and verifying # the JWT can fail due to clock skew, so let's skip it completely. # https://github.com/zquestz/omniauth-google-oauth2/pull/392 - strategy.options[:skip_jwt] = true + opts[:skip_jwt] = true end, } omniauth.provider :google_oauth2, options