SECURITY: When enabled only allow Discourse Connect logins

If Discourse Connect is enabled no other methods for account creation or authentication should be allowed.
2025-05-31 12:27:16 +08:00 · 2024-10-24 13:06:55 -06:00
parent 15b43a205b
commit 17bdffc900
9 changed files with 84 additions and 0 deletions
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -3230,6 +3230,22 @@ RSpec.describe SessionController do
          expect(session[:current_user_id]).to eq(nil)
        end

+        it "fails when discourse connect is enabled" do
+          SiteSetting.discourse_connect_url = "https://www.example.com/sso"
+          SiteSetting.enable_discourse_connect = true
+          simulate_localhost_passkey_challenge
+          user.activate
+          user.create_or_fetch_secure_identifier
+          post "/session/passkey/auth.json",
+               params: {
+                 publicKeyCredential:
+                   valid_passkey_auth_data.merge(
+                     { userHandle: Base64.strict_encode64(user.secure_identifier) },
+                   ),
+               }
+          expect(response.status).to eq(403)
+        end
+
        it "logs the user in" do
          simulate_localhost_passkey_challenge
          user.activate