mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 16:43:45 +08:00
SECURITY: Reset password when activating an account via auth provider
Followup to d693b4e35fe0e58c5578eae4a56c06dff4756ba2
This commit is contained in:
parent
a3d42e2c52
commit
f80f8a34c0
|
@ -128,7 +128,10 @@ class Users::OmniauthCallbacksController < ApplicationController
|
|||
user.email_tokens.create!(email: user.email)
|
||||
end
|
||||
|
||||
if !user.active || !user.email_confirmed?
|
||||
user.update!(password: SecureRandom.hex)
|
||||
user.activate
|
||||
end
|
||||
user.update!(registration_ip_address: request.remote_ip) if user.registration_ip_address.blank?
|
||||
end
|
||||
|
||||
|
|
|
@ -213,7 +213,7 @@ RSpec.describe Users::OmniauthCallbacksController do
|
|||
expect(user.email_confirmed?).to eq(true)
|
||||
end
|
||||
|
||||
it "should activate/unstage staged user" do
|
||||
it "should unstage staged user" do
|
||||
user.update!(staged: true, registration_ip_address: nil)
|
||||
|
||||
user.reload
|
||||
|
@ -233,6 +233,22 @@ RSpec.describe Users::OmniauthCallbacksController do
|
|||
expect(user.registration_ip_address).to be_present
|
||||
end
|
||||
|
||||
it "should activate user with matching email" do
|
||||
user.update!(password: "securepassword", active: false, registration_ip_address: "1.1.1.1")
|
||||
|
||||
user.reload
|
||||
expect(user.active).to eq(false)
|
||||
expect(user.confirm_password?("securepassword")).to eq(true)
|
||||
|
||||
get "/auth/google_oauth2/callback.json"
|
||||
|
||||
user.reload
|
||||
expect(user.active).to eq(true)
|
||||
|
||||
# Delete the password, it may have been set by someone else
|
||||
expect(user.confirm_password?("securepassword")).to eq(false)
|
||||
end
|
||||
|
||||
context 'when user has second factor enabled' do
|
||||
before do
|
||||
user.create_totp(enabled: true)
|
||||
|
|
Loading…
Reference in New Issue
Block a user