discourse/spec/requests/omniauth_callbacks_controller_spec.rb
David Taylor d2bceff133
FEATURE: Use full page redirection for all external auth methods (#8092)
Using popups is becoming increasingly rare. Full page redirects are already used on mobile, and for some providers. This commit removes all logic related to popup authentication, leaving only the full page redirect method.

For more info, see https://meta.discourse.org/t/do-we-need-popups-for-login/127988
2019-10-08 12:10:43 +01:00

644 lines
21 KiB
Ruby

# frozen_string_literal: true
require 'rails_helper'
require 'single_sign_on'
RSpec.describe Users::OmniauthCallbacksController do
fab!(:user) { Fabricate(:user) }
before do
OmniAuth.config.test_mode = true
end
after do
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2] = nil
OmniAuth.config.test_mode = false
end
describe ".find_authenticator" do
it "fails if a provider is disabled" do
SiteSetting.enable_twitter_logins = false
expect do
Users::OmniauthCallbacksController.find_authenticator("twitter")
end.to raise_error(Discourse::InvalidAccess)
end
it "fails for unknown" do
expect do
Users::OmniauthCallbacksController.find_authenticator("twitter1")
end.to raise_error(Discourse::InvalidAccess)
end
it "finds an authenticator when enabled" do
SiteSetting.enable_twitter_logins = true
expect(Users::OmniauthCallbacksController.find_authenticator("twitter"))
.not_to eq(nil)
end
context "with a plugin-contributed auth provider" do
let :provider do
provider = Auth::AuthProvider.new
provider.authenticator = Class.new(Auth::Authenticator) do
def name
'ubuntu'
end
def enabled?
SiteSetting.ubuntu_login_enabled
end
end.new
provider.enabled_setting = "ubuntu_login_enabled"
provider
end
before do
DiscoursePluginRegistry.register_auth_provider(provider)
end
after do
DiscoursePluginRegistry.reset!
end
it "finds an authenticator when enabled" do
SiteSetting.stubs(:ubuntu_login_enabled).returns(true)
expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
.to be(provider.authenticator)
end
it "fails if an authenticator is disabled" do
SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
expect { Users::OmniauthCallbacksController.find_authenticator("ubuntu") }
.to raise_error(Discourse::InvalidAccess)
end
end
end
context 'Google Oauth2' do
before do
SiteSetting.enable_google_oauth2_logins = true
end
it "should display the failure message if needed" do
get "/auth/failure"
expect(response.status).to eq(200)
expect(response.body).to include(I18n.t("login.omniauth_error.generic"))
end
describe "request" do
it "should error for non existant authenticators" do
post "/auth/fake_auth"
expect(response.status).to eq(404)
get "/auth/fake_auth"
expect(response.status).to eq(403)
end
it "should error for disabled authenticators" do
SiteSetting.enable_google_oauth2_logins = false
post "/auth/google_oauth2"
expect(response.status).to eq(404)
get "/auth/google_oauth2"
expect(response.status).to eq(403)
end
it "should handle common errors" do
OmniAuth::Strategies::GoogleOauth2.any_instance.stubs(:mock_request_call).raises(
OAuth::Unauthorized.new(mock().tap { |m| m.stubs(:code).returns(403); m.stubs(:message).returns("Message") })
)
post "/auth/google_oauth2"
expect(response.status).to eq(302)
expect(response.location).to include("/auth/failure?message=request_error")
OmniAuth::Strategies::GoogleOauth2.any_instance.stubs(:mock_request_call).raises(JWT::InvalidIatError.new)
post "/auth/google_oauth2"
expect(response.status).to eq(302)
expect(response.location).to include("/auth/failure?message=invalid_iat")
end
it "should only start auth with a POST request" do
post "/auth/google_oauth2"
expect(response.status).to eq(302)
get "/auth/google_oauth2"
expect(response.status).to eq(200)
end
context "with CSRF protection enabled" do
before { ActionController::Base.allow_forgery_protection = true }
after { ActionController::Base.allow_forgery_protection = false }
it "should be CSRF protected" do
post "/auth/google_oauth2"
expect(response.status).to eq(302)
expect(response.location).to include("/auth/failure?message=csrf_detected")
post "/auth/google_oauth2", params: { authenticity_token: "faketoken" }
expect(response.status).to eq(302)
expect(response.location).to include("/auth/failure?message=csrf_detected")
get "/session/csrf.json"
token = JSON.parse(response.body)["csrf"]
post "/auth/google_oauth2", params: { authenticity_token: token }
expect(response.status).to eq(302)
end
it "should not be CSRF protected if it is the only auth method" do
get "/auth/google_oauth2"
expect(response.status).to eq(200)
SiteSetting.enable_local_logins = false
get "/auth/google_oauth2"
expect(response.status).to eq(302)
end
end
end
context "without an `omniauth.auth` env" do
it "should return a 404" do
get "/auth/eviltrout/callback"
expect(response.code).to eq("404")
end
end
describe 'when user not found' do
let(:email) { "somename@gmail.com" }
before do
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: 'google_oauth2',
uid: '123545',
info: OmniAuth::AuthHash::InfoHash.new(
email: email,
name: 'Some Name',
first_name: "Some",
last_name: "Name"
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: email,
family_name: 'Huh',
given_name: "Some Name",
gender: 'male',
name: "Some name Huh",
)
}
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
end
it 'should return the right response' do
destination_url = '/somepath'
Rails.application.env_config["omniauth.origin"] = destination_url
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
data = JSON.parse(cookies[:authentication_data])
expect(data["email"]).to eq(email)
expect(data["username"]).to eq("Some_Name")
expect(data["auth_provider"]).to eq("google_oauth2")
expect(data["email_valid"]).to eq(true)
expect(data["omit_username"]).to eq(false)
expect(data["name"]).to eq("Some Name")
expect(data["destination_url"]).to eq(destination_url)
end
it 'should include destination url in response' do
destination_url = '/cookiepath'
cookies[:destination_url] = destination_url
get "/auth/google_oauth2/callback.json"
data = JSON.parse(cookies[:authentication_data])
expect(data["destination_url"]).to eq(destination_url)
end
end
describe 'when user has been verified' do
before do
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: 'google_oauth2',
uid: '123545',
info: OmniAuth::AuthHash::InfoHash.new(
email: user.email,
name: 'Some name'
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: user.email,
family_name: 'Huh',
given_name: user.name,
gender: 'male',
name: "#{user.name} Huh",
)
},
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
end
it 'should return the right response' do
expect(user.email_confirmed?).to eq(false)
events = DiscourseEvent.track_events do
get "/auth/google_oauth2/callback.json"
end
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
expect(response.status).to eq(302)
data = JSON.parse(cookies[:authentication_data])
expect(data["authenticated"]).to eq(true)
expect(data["awaiting_activation"]).to eq(false)
expect(data["awaiting_approval"]).to eq(false)
expect(data["not_allowed_from_ip_address"]).to eq(false)
expect(data["admin_not_allowed_from_ip_address"]).to eq(false)
user.reload
expect(user.email_confirmed?).to eq(true)
end
it "should confirm email even when the tokens are expired" do
user.email_tokens.update_all(confirmed: false, expired: true)
user.reload
expect(user.email_confirmed?).to eq(false)
events = DiscourseEvent.track_events do
get "/auth/google_oauth2/callback.json"
end
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
expect(response.status).to eq(302)
user.reload
expect(user.email_confirmed?).to eq(true)
end
it "should unstage staged user" do
user.update!(staged: true, registration_ip_address: nil)
user.reload
expect(user.staged).to eq(true)
expect(user.registration_ip_address).to eq(nil)
events = DiscourseEvent.track_events do
get "/auth/google_oauth2/callback.json"
end
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
expect(response.status).to eq(302)
user.reload
expect(user.staged).to eq(false)
expect(user.registration_ip_address).to be_present
end
it "should activate user with matching email" do
user.update!(password: "securepassword", active: false, registration_ip_address: "1.1.1.1")
user.reload
expect(user.active).to eq(false)
expect(user.confirm_password?("securepassword")).to eq(true)
get "/auth/google_oauth2/callback.json"
user.reload
expect(user.active).to eq(true)
# Delete the password, it may have been set by someone else
expect(user.confirm_password?("securepassword")).to eq(false)
end
context 'when user has second factor enabled' do
before do
user.create_totp(enabled: true)
end
it 'should return the right response' do
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
data = JSON.parse(cookies[:authentication_data])
expect(data["email"]).to eq(user.email)
expect(data["omniauth_disallow_totp"]).to eq(true)
user.update!(email: 'different@user.email')
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
expect(JSON.parse(cookies[:authentication_data])["email"]).to eq(user.email)
end
end
context 'when sso_payload cookie exist' do
before do
SiteSetting.enable_sso_provider = true
SiteSetting.sso_secret = "topsecret"
@sso = SingleSignOn.new
@sso.nonce = "mynonce"
@sso.sso_secret = SiteSetting.sso_secret
@sso.return_sso_url = "http://somewhere.over.rainbow/sso"
cookies[:sso_payload] = @sso.payload
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '12345', user: user)
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: 'google_oauth2',
uid: '12345',
info: OmniAuth::AuthHash::InfoHash.new(
email: 'someother_email@test.com',
name: 'Some name'
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: 'someother_email@test.com',
family_name: 'Huh',
given_name: user.name,
gender: 'male',
name: "#{user.name} Huh",
)
},
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
end
it 'should return the right response' do
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
data = JSON.parse(cookies[:authentication_data])
expect(data["destination_url"]).to match(/\/session\/sso_provider\?sso\=.*\&sig\=.*/)
end
end
context 'when user has not verified his email' do
before do
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '12345', user: user)
user.update!(active: false)
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: 'google_oauth2',
uid: '12345',
info: OmniAuth::AuthHash::InfoHash.new(
email: 'someother_email@test.com',
name: 'Some name'
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: 'someother_email@test.com',
family_name: 'Huh',
given_name: user.name,
gender: 'male',
name: "#{user.name} Huh",
)
},
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
end
it 'should return the right response' do
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
data = JSON.parse(cookies[:authentication_data])
expect(user.reload.active).to eq(false)
expect(data["authenticated"]).to eq(false)
expect(data["awaiting_activation"]).to eq(true)
end
end
context 'with full screen login' do
before do
cookies['fsl'] = true
end
it "doesn't attempt redirect to external origin" do
post "/auth/google_oauth2?origin=https://example.com/external"
get "/auth/google_oauth2/callback"
expect(response.status).to eq 302
expect(response.location).to eq "http://test.localhost/"
cookie_data = JSON.parse(response.cookies['authentication_data'])
expect(cookie_data["destination_url"]).to eq('/')
end
it "redirects to internal origin" do
post "/auth/google_oauth2?origin=http://test.localhost/t/123"
get "/auth/google_oauth2/callback"
expect(response.status).to eq 302
expect(response.location).to eq "http://test.localhost/t/123"
cookie_data = JSON.parse(response.cookies['authentication_data'])
expect(cookie_data["destination_url"]).to eq('/t/123')
end
it "redirects to relative origin" do
post "/auth/google_oauth2?origin=/t/123"
get "/auth/google_oauth2/callback"
expect(response.status).to eq 302
expect(response.location).to eq "http://test.localhost/t/123"
cookie_data = JSON.parse(response.cookies['authentication_data'])
expect(cookie_data["destination_url"]).to eq('/t/123')
end
it "redirects with query" do
post "/auth/google_oauth2?origin=/t/123?foo=bar"
get "/auth/google_oauth2/callback"
expect(response.status).to eq 302
expect(response.location).to eq "http://test.localhost/t/123?foo=bar"
cookie_data = JSON.parse(response.cookies['authentication_data'])
expect(cookie_data["destination_url"]).to eq('/t/123?foo=bar')
end
it "removes authentication_data cookie on logout" do
post "/auth/google_oauth2?origin=https://example.com/external"
get "/auth/google_oauth2/callback"
provider = log_in_user(Fabricate(:user))
expect(cookies['authentication_data']).to be
log_out_user(provider)
expect(cookies['authentication_data']).to be_nil
end
after do
cookies.delete('fsl')
end
end
end
context 'when attempting reconnect' do
fab!(:user2) { Fabricate(:user) }
before do
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '12345', user: user)
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '123456', user: user2)
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: 'google_oauth2',
uid: '12345',
info: OmniAuth::AuthHash::InfoHash.new(
email: 'someother_email@test.com',
name: 'Some name'
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: 'someother_email@test.com',
family_name: 'Huh',
given_name: user.name,
gender: 'male',
name: "#{user.name} Huh",
)
},
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
end
it 'should not reconnect normally' do
# Log in normally
post "/auth/google_oauth2"
expect(response.status).to eq(302)
expect(session[:auth_reconnect]).to eq(false)
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
expect(session[:current_user_id]).to eq(user.id)
# Log into another user
OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"
post "/auth/google_oauth2"
expect(response.status).to eq(302)
expect(session[:auth_reconnect]).to eq(false)
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
expect(session[:current_user_id]).to eq(user2.id)
expect(UserAssociatedAccount.count).to eq(2)
end
it 'should redirect to associate URL if parameter supplied' do
# Log in normally
post "/auth/google_oauth2?reconnect=true"
expect(response.status).to eq(302)
expect(session[:auth_reconnect]).to eq(true)
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
expect(session[:current_user_id]).to eq(user.id)
# Clear cookie after login
expect(session[:auth_reconnect]).to eq(nil)
# Disconnect
UserAssociatedAccount.find_by(user_id: user.id).destroy
# Reconnect flow:
post "/auth/google_oauth2?reconnect=true"
expect(response.status).to eq(302)
expect(session[:auth_reconnect]).to eq(true)
OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
expect(response.redirect_url).to start_with("http://test.localhost/associate/")
expect(session[:current_user_id]).to eq(user.id)
expect(UserAssociatedAccount.count).to eq(1) # Reconnect has not yet happened
end
end
context 'after changing email' do
def login(identity)
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: 'google_oauth2',
uid: "123545#{identity[:username]}",
info: OmniAuth::AuthHash::InfoHash.new(
email: identity[:email],
name: 'Some name'
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: identity[:email],
family_name: 'Huh',
given_name: identity[:name],
gender: 'male',
name: "#{identity[:name]} Huh",
)
},
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
get "/auth/google_oauth2/callback.json"
expect(response.status).to eq(302)
JSON.parse(cookies[:authentication_data])
end
it 'activates the correct email' do
old_email = 'old@email.com'
old_identity = { name: 'Bob',
username: 'bob',
email: old_email }
user = Fabricate(:user, email: old_email)
new_email = 'new@email.com'
new_identity = { name: 'Bob',
username: 'boguslaw',
email: new_email }
updater = EmailUpdater.new(user.guardian, user)
updater.change_to(new_email)
user.reload
expect(user.email).to eq(old_email)
response = login(old_identity)
expect(response['authenticated']).to eq(true)
user.reload
expect(user.email).to eq(old_email)
delete "/session/#{user.username}" # log out
response = login(new_identity)
expect(response['authenticated']).to eq(nil)
expect(response['email']).to eq(new_email)
end
end
end
end