mirror of
https://github.com/discourse/discourse.git
synced 2024-12-01 08:53:38 +08:00
fa8cd629f1
This commit adds token_hash and scopes columns to email_tokens table. token_hash is a replacement for the token column to avoid storing email tokens in plaintext as it can pose a security risk. The new scope column ensures that email tokens cannot be used to perform a different action than the one intended. To sum up, this commit: * Adds token_hash and scope to email_tokens * Reuses code that schedules critical_user_email * Refactors EmailToken.confirm and EmailToken.atomic_confirm methods * Periodically cleans old, unconfirmed or expired email tokens
66 lines
1.5 KiB
Ruby
66 lines
1.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class UserAuthenticator
|
|
|
|
def initialize(user, session, authenticator_finder: Users::OmniauthCallbacksController, require_password: true)
|
|
@user = user
|
|
@session = session
|
|
if session&.dig(:authentication) && session[:authentication].is_a?(Hash)
|
|
@auth_result = Auth::Result.from_session_data(session[:authentication], user: user)
|
|
end
|
|
@authenticator_finder = authenticator_finder
|
|
@require_password = require_password
|
|
end
|
|
|
|
def start
|
|
if authenticated?
|
|
@user.active = true
|
|
@auth_result.apply_user_attributes!
|
|
elsif @require_password
|
|
@user.password_required!
|
|
end
|
|
|
|
@user.skip_email_validation = true if @auth_result && @auth_result.skip_email_validation
|
|
end
|
|
|
|
def has_authenticator?
|
|
!!authenticator
|
|
end
|
|
|
|
def finish
|
|
if authenticator
|
|
authenticator.after_create_account(@user, @auth_result)
|
|
confirm_email
|
|
end
|
|
@session[:authentication] = @auth_result = nil if @session&.dig(:authentication)
|
|
end
|
|
|
|
def email_valid?
|
|
@auth_result&.email_valid
|
|
end
|
|
|
|
def authenticated?
|
|
return false if !@auth_result
|
|
return false if @auth_result&.email&.downcase != @user.email.downcase
|
|
return false if !@auth_result.email_valid
|
|
true
|
|
end
|
|
|
|
private
|
|
|
|
def confirm_email
|
|
@user.activate if authenticated?
|
|
end
|
|
|
|
def authenticator
|
|
if authenticator_name
|
|
@authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)
|
|
end
|
|
end
|
|
|
|
def authenticator_name
|
|
@auth_result&.authenticator_name
|
|
end
|
|
|
|
end
|