From f80f8a34c0f9b90a097e0c8b223e9d195e4eda1c Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Wed, 28 Aug 2019 12:49:11 +0100
Subject: [PATCH] SECURITY: Reset password when activating an account via auth
 provider

Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
---
 .../users/omniauth_callbacks_controller.rb     |  5 ++++-
 .../omniauth_callbacks_controller_spec.rb      | 18 +++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 65b3e4452de..72341c97217 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -128,7 +128,10 @@ class Users::OmniauthCallbacksController < ApplicationController
         user.email_tokens.create!(email: user.email)
       end
 
-      user.activate
+      if !user.active || !user.email_confirmed?
+        user.update!(password: SecureRandom.hex)
+        user.activate
+      end
       user.update!(registration_ip_address: request.remote_ip) if user.registration_ip_address.blank?
     end
 
diff --git a/spec/requests/omniauth_callbacks_controller_spec.rb b/spec/requests/omniauth_callbacks_controller_spec.rb
index c5a093f82c7..ee6db8d784e 100644
--- a/spec/requests/omniauth_callbacks_controller_spec.rb
+++ b/spec/requests/omniauth_callbacks_controller_spec.rb
@@ -213,7 +213,7 @@ RSpec.describe Users::OmniauthCallbacksController do
         expect(user.email_confirmed?).to eq(true)
       end
 
-      it "should activate/unstage staged user" do
+      it "should unstage staged user" do
         user.update!(staged: true, registration_ip_address: nil)
 
         user.reload
@@ -233,6 +233,22 @@ RSpec.describe Users::OmniauthCallbacksController do
         expect(user.registration_ip_address).to be_present
       end
 
+      it "should activate user with matching email" do
+        user.update!(password: "securepassword", active: false, registration_ip_address: "1.1.1.1")
+
+        user.reload
+        expect(user.active).to eq(false)
+        expect(user.confirm_password?("securepassword")).to eq(true)
+
+        get "/auth/google_oauth2/callback.json"
+
+        user.reload
+        expect(user.active).to eq(true)
+
+        # Delete the password, it may have been set by someone else
+        expect(user.confirm_password?("securepassword")).to eq(false)
+      end
+
       context 'when user has second factor enabled' do
         before do
           user.create_totp(enabled: true)