github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 06:49:14 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
291bbc4fb9
discourse/app/services/user_authenticator.rb
Dan Ungureanu fa8cd629f1
DEV: Hash tokens stored from email_tokens (#14493) 
This commit adds token_hash and scopes columns to email_tokens table.
token_hash is a replacement for the token column to avoid storing email
tokens in plaintext as it can pose a security risk. The new scope column
ensures that email tokens cannot be used to perform a different action
than the one intended.

To sum up, this commit:

* Adds token_hash and scope to email_tokens

* Reuses code that schedules critical_user_email

* Refactors EmailToken.confirm and EmailToken.atomic_confirm methods

* Periodically cleans old, unconfirmed or expired email tokens
2021-11-25 09:34:39 +02:00

66 lines
1.5 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
class UserAuthenticator
def initialize(user, session, authenticator_finder: Users::OmniauthCallbacksController, require_password: true)
@user = user
@session = session
if session&.dig(:authentication) && session[:authentication].is_a?(Hash)
@auth_result = Auth::Result.from_session_data(session[:authentication], user: user)
end
@authenticator_finder = authenticator_finder
@require_password = require_password
end
def start
if authenticated?
@user.active = true
@auth_result.apply_user_attributes!
elsif @require_password
@user.password_required!
end
@user.skip_email_validation = true if @auth_result && @auth_result.skip_email_validation
end
def has_authenticator?
!!authenticator
end
def finish
if authenticator
authenticator.after_create_account(@user, @auth_result)
confirm_email
end
@session[:authentication] = @auth_result = nil if @session&.dig(:authentication)
end
def email_valid?
@auth_result&.email_valid
end
def authenticated?
return false if !@auth_result
return false if @auth_result&.email&.downcase != @user.email.downcase
return false if !@auth_result.email_valid
true
end
private
def confirm_email
@user.activate if authenticated?
end
def authenticator
if authenticator_name
@authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)
end
end
def authenticator_name
@auth_result&.authenticator_name
end
end
Reference in New Issue View Git Blame Copy Permalink