mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 19:43:44 +08:00
2ae7c47a3c
If a site is configured for GitHub logins, _**and**_ has an email domain whitelist, it's possible to get in a state where a new user is locked to a non-whitelist email (their GitHub primary) even though they have an alternate email that's on the whitelist. In all cases, the GitHub primary email is attempted first so that previously existing behavior will be the default. - Add whitelist/blacklist support to GithubAuthenticator (via EmailValidator) - Add multiple email support GithubAuthenticator - Add test specs for GithubAuthenticator - Add authenticator-agnostic "none of your email addresses are allowed" error message.
173 lines
4.9 KiB
Ruby
173 lines
4.9 KiB
Ruby
require 'rails_helper'
|
|
|
|
# In the ghetto ... getting the spec to run in autospec
|
|
# thing is we need to load up all auth really early pre-fork
|
|
# it means that the require is not going to get a new copy
|
|
Auth.send(:remove_const, :GithubAuthenticator)
|
|
load 'auth/github_authenticator.rb'
|
|
|
|
describe Auth::GithubAuthenticator do
|
|
|
|
context 'after_authenticate' do
|
|
|
|
it 'can authenticate and create a user record for already existing users' do
|
|
user = Fabricate(:user)
|
|
|
|
hash = {
|
|
:extra => {
|
|
:all_emails => [{
|
|
:email => user.email,
|
|
:primary => true,
|
|
:verified => true,
|
|
}]
|
|
},
|
|
:info => {
|
|
:email => user.email,
|
|
:email_verified => true,
|
|
:nickname => user.username,
|
|
:name => user.name,
|
|
},
|
|
:uid => "100"
|
|
}
|
|
|
|
authenticator = Auth::GithubAuthenticator.new
|
|
result = authenticator.after_authenticate(hash)
|
|
|
|
expect(result.user.id).to eq(user.id)
|
|
expect(result.username).to eq(user.username)
|
|
expect(result.name).to eq(user.name)
|
|
expect(result.email).to eq(user.email)
|
|
expect(result.email_valid).to eq(true)
|
|
end
|
|
|
|
it 'will not authenticate for already existing users with an unverified email' do
|
|
user = Fabricate(:user)
|
|
|
|
hash = {
|
|
:extra => {
|
|
:all_emails => [{
|
|
:email => user.email,
|
|
:primary => true,
|
|
:verified => false,
|
|
}]
|
|
},
|
|
:info => {
|
|
:email => user.email,
|
|
:email_verified => false,
|
|
:nickname => user.username,
|
|
:name => user.name,
|
|
},
|
|
:uid => "100"
|
|
}
|
|
|
|
authenticator = Auth::GithubAuthenticator.new
|
|
result = authenticator.after_authenticate(hash)
|
|
|
|
expect(result.user).to eq(nil)
|
|
expect(result.username).to eq(user.username)
|
|
expect(result.name).to eq(user.name)
|
|
expect(result.email).to eq(user.email)
|
|
expect(result.email_valid).to eq(false)
|
|
end
|
|
|
|
it 'can create a proper result for non existing users' do
|
|
hash = {
|
|
:extra => {
|
|
:all_emails => [{
|
|
:email => "person@example.com",
|
|
:primary => true,
|
|
:verified => true,
|
|
}]
|
|
},
|
|
:info => {
|
|
:email => "person@example.com",
|
|
:email_verified => true,
|
|
:nickname => "person",
|
|
:name => "Person Lastname",
|
|
},
|
|
:uid => "100"
|
|
}
|
|
|
|
authenticator = Auth::GithubAuthenticator.new
|
|
result = authenticator.after_authenticate(hash)
|
|
|
|
expect(result.user).to eq(nil)
|
|
expect(result.username).to eq(hash[:info][:nickname])
|
|
expect(result.name).to eq(hash[:info][:name])
|
|
expect(result.email).to eq(hash[:info][:email])
|
|
expect(result.email_valid).to eq(hash[:info][:email_verified])
|
|
end
|
|
|
|
it 'will skip blacklisted domains for non existing users' do
|
|
hash = {
|
|
:extra => {
|
|
:all_emails => [{
|
|
:email => "not_allowed@blacklist.com",
|
|
:primary => true,
|
|
:verified => true,
|
|
},{
|
|
:email => "allowed@whitelist.com",
|
|
:primary => false,
|
|
:verified => true,
|
|
}]
|
|
},
|
|
:info => {
|
|
:email => "not_allowed@blacklist.com",
|
|
:email_verified => true,
|
|
:nickname => "person",
|
|
:name => "Person Lastname",
|
|
},
|
|
:uid => "100"
|
|
}
|
|
|
|
authenticator = Auth::GithubAuthenticator.new
|
|
SiteSetting.email_domains_blacklist = "blacklist.com"
|
|
result = authenticator.after_authenticate(hash)
|
|
|
|
expect(result.user).to eq(nil)
|
|
expect(result.username).to eq(hash[:info][:nickname])
|
|
expect(result.name).to eq(hash[:info][:name])
|
|
expect(result.email).to eq("allowed@whitelist.com")
|
|
expect(result.email_valid).to eq(true)
|
|
end
|
|
|
|
it 'will find whitelisted domains for non existing users' do
|
|
hash = {
|
|
:extra => {
|
|
:all_emails => [{
|
|
:email => "person@example.com",
|
|
:primary => true,
|
|
:verified => true,
|
|
},{
|
|
:email => "not_allowed@blacklist.com",
|
|
:primary => true,
|
|
:verified => true,
|
|
},{
|
|
:email => "allowed@whitelist.com",
|
|
:primary => false,
|
|
:verified => true,
|
|
}]
|
|
},
|
|
:info => {
|
|
:email => "person@example.com",
|
|
:email_verified => true,
|
|
:nickname => "person",
|
|
:name => "Person Lastname",
|
|
},
|
|
:uid => "100"
|
|
}
|
|
|
|
authenticator = Auth::GithubAuthenticator.new
|
|
SiteSetting.email_domains_whitelist = "whitelist.com"
|
|
result = authenticator.after_authenticate(hash)
|
|
|
|
expect(result.user).to eq(nil)
|
|
expect(result.username).to eq(hash[:info][:nickname])
|
|
expect(result.name).to eq(hash[:info][:name])
|
|
expect(result.email).to eq("allowed@whitelist.com")
|
|
expect(result.email_valid).to eq(true)
|
|
end
|
|
|
|
end
|
|
end
|