mirror of
https://github.com/discourse/discourse.git
synced 2024-12-12 21:34:16 +08:00
355d51afde
This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
153 lines
3.3 KiB
Ruby
153 lines
3.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class SingleSignOn
|
|
|
|
class ParseError < RuntimeError; end
|
|
|
|
ACCESSORS = %i{
|
|
add_groups
|
|
admin moderator
|
|
avatar_force_update
|
|
avatar_url
|
|
bio
|
|
card_background_url
|
|
email
|
|
external_id
|
|
groups
|
|
locale
|
|
locale_force_update
|
|
logout
|
|
name
|
|
nonce
|
|
profile_background_url
|
|
remove_groups
|
|
require_activation
|
|
return_sso_url
|
|
suppress_welcome_message
|
|
title
|
|
username
|
|
website
|
|
location
|
|
}
|
|
|
|
FIXNUMS = []
|
|
|
|
BOOLS = %i{
|
|
admin
|
|
avatar_force_update
|
|
locale_force_update
|
|
logout
|
|
moderator
|
|
require_activation
|
|
suppress_welcome_message
|
|
}
|
|
|
|
def self.nonce_expiry_time
|
|
@nonce_expiry_time ||= 10.minutes
|
|
end
|
|
|
|
def self.nonce_expiry_time=(v)
|
|
@nonce_expiry_time = v
|
|
end
|
|
|
|
attr_accessor(*ACCESSORS)
|
|
attr_writer :sso_secret, :sso_url
|
|
|
|
def self.sso_secret
|
|
raise RuntimeError, "sso_secret not implemented on class, be sure to set it on instance"
|
|
end
|
|
|
|
def self.sso_url
|
|
raise RuntimeError, "sso_url not implemented on class, be sure to set it on instance"
|
|
end
|
|
|
|
def self.parse(payload, sso_secret = nil, **init_kwargs)
|
|
sso = new(**init_kwargs)
|
|
sso.sso_secret = sso_secret if sso_secret
|
|
|
|
parsed = Rack::Utils.parse_query(payload)
|
|
decoded = Base64.decode64(parsed["sso"])
|
|
decoded_hash = Rack::Utils.parse_query(decoded)
|
|
|
|
if sso.sign(parsed["sso"]) != parsed["sig"]
|
|
diags = "\n\nsso: #{parsed["sso"]}\n\nsig: #{parsed["sig"]}\n\nexpected sig: #{sso.sign(parsed["sso"])}"
|
|
if parsed["sso"] =~ /[^a-zA-Z0-9=\r\n\/+]/m
|
|
raise ParseError, "The SSO field should be Base64 encoded, using only A-Z, a-z, 0-9, +, /, and = characters. Your input contains characters we don't understand as Base64, see http://en.wikipedia.org/wiki/Base64 #{diags}"
|
|
else
|
|
raise ParseError, "Bad signature for payload #{diags}"
|
|
end
|
|
end
|
|
|
|
ACCESSORS.each do |k|
|
|
val = decoded_hash[k.to_s]
|
|
val = val.to_i if FIXNUMS.include? k
|
|
if BOOLS.include? k
|
|
val = ["true", "false"].include?(val) ? val == "true" : nil
|
|
end
|
|
sso.public_send("#{k}=", val)
|
|
end
|
|
|
|
decoded_hash.each do |k, v|
|
|
if field = k[/^custom\.(.+)$/, 1]
|
|
sso.custom_fields[field] = v
|
|
end
|
|
end
|
|
|
|
sso
|
|
end
|
|
|
|
def diagnostics
|
|
SingleSignOn::ACCESSORS.map { |a| "#{a}: #{public_send(a)}" }.join("\n")
|
|
end
|
|
|
|
def sso_secret
|
|
@sso_secret || self.class.sso_secret
|
|
end
|
|
|
|
def sso_url
|
|
@sso_url || self.class.sso_url
|
|
end
|
|
|
|
def custom_fields
|
|
@custom_fields ||= {}
|
|
end
|
|
|
|
def sign(payload, secret = nil)
|
|
secret = secret || sso_secret
|
|
OpenSSL::HMAC.hexdigest("sha256", secret, payload)
|
|
end
|
|
|
|
def to_json
|
|
self.to_h.to_json
|
|
end
|
|
|
|
def to_url(base_url = nil)
|
|
base = "#{base_url || sso_url}"
|
|
"#{base}#{base.include?('?') ? '&' : '?'}#{payload}"
|
|
end
|
|
|
|
def payload(secret = nil)
|
|
payload = Base64.strict_encode64(unsigned_payload)
|
|
"sso=#{CGI::escape(payload)}&sig=#{sign(payload, secret)}"
|
|
end
|
|
|
|
def unsigned_payload
|
|
Rack::Utils.build_query(self.to_h)
|
|
end
|
|
|
|
def to_h
|
|
payload = {}
|
|
|
|
ACCESSORS.each do |k|
|
|
next if (val = public_send(k)) == nil
|
|
payload[k] = val
|
|
end
|
|
|
|
@custom_fields&.each do |k, v|
|
|
payload["custom.#{k}"] = v.to_s
|
|
end
|
|
|
|
payload
|
|
end
|
|
end
|