SECURITY: When enabled only allow Discourse Connect logins

If Discourse Connect is enabled no other methods for account creation or authentication should be allowed.
2025-05-30 07:11:34 +08:00 · 2024-10-24 13:06:55 -06:00
parent 15b43a205b
commit 17bdffc900
9 changed files with 84 additions and 0 deletions
--- a/spec/integration/twitter_omniauth_spec.rb
+++ b/spec/integration/twitter_omniauth_spec.rb
@ -106,6 +106,21 @@ describe "Twitter OAuth 1.0a" do
    expect(session[:current_user_id]).to eq(user1.id)
  end

+  it "doesn't sign in the user discourse connect is enabled" do
+    SiteSetting.discourse_connect_url = "https://example.com/sso"
+    SiteSetting.enable_discourse_connect = true
+    post "/auth/twitter"
+    expect(response.status).to eq(302)
+    expect(response.location).to start_with("https://api.twitter.com/oauth/authenticate")
+
+    setup_twitter_email_stub(email: user1.email)
+
+    post "/auth/twitter/callback", params: { state: session["omniauth.state"] }
+
+    expect(response.status).to eq(403)
+    expect(session[:current_user_id]).to be_blank
+  end
+
  it "doesn't sign in anyone if the API response from twitter doesn't include an email (implying the user's email on twitter isn't verified)" do
    post "/auth/twitter"
    expect(response.status).to eq(302)