FIX: Improve email validation error handling for external logins (#11307)

- Display reason for validation error when logging in via an authenticator - Fix email validation handling for 'Discourse SSO', and add a spec Previously, validation errors (e.g. blocked or already-taken emails) would raise a generic error with no useful information.
2025-05-23 18:41:07 +08:00 · 2020-11-23 11:06:08 +00:00
parent 4638c6fc8d
commit 20c0da8516
4 changed files with 62 additions and 15 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -67,20 +67,20 @@ class Users::OmniauthCallbacksController < ApplicationController
    end

    @auth_result.destination_url = @origin
+    @auth_result.authenticator_name = authenticator.name

-    if @auth_result.failed?
-      flash[:error] = @auth_result.failed_reason.html_safe
-      render('failure')
-    else
-      @auth_result.authenticator_name = authenticator.name
-      complete_response_data
-      cookies['_bypass_cache'] = true
-      cookies[:authentication_data] = {
-        value: @auth_result.to_client_hash.to_json,
-        path: Discourse.base_path("/")
-      }
-      redirect_to @origin
-    end
+    return render_auth_result_failure if @auth_result.failed?
+
+    complete_response_data
+
+    return render_auth_result_failure if @auth_result.failed?
+
+    cookies['_bypass_cache'] = true
+    cookies[:authentication_data] = {
+      value: @auth_result.to_client_hash.to_json,
+      path: Discourse.base_path("/")
+    }
+    redirect_to @origin
  end

  def failure
@ -98,6 +98,11 @@ class Users::OmniauthCallbacksController < ApplicationController

  protected

+  def render_auth_result_failure
+    flash[:error] = @auth_result.failed_reason.html_safe
+    render 'failure'
+  end
+
  def complete_response_data
    if @auth_result.user
      user_found(@auth_result.user)
@ -138,7 +143,14 @@ class Users::OmniauthCallbacksController < ApplicationController
    elsif ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
      @auth_result.admin_not_allowed_from_ip_address = true
    elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access
-      user.save! if @auth_result.apply_user_attributes!
+      begin
+        user.save! if @auth_result.apply_user_attributes!
+      rescue ActiveRecord::RecordInvalid => e
+        @auth_result.failed = true
+        @auth_result.failed_reason = e.record.errors.full_messages.join(", ")
+        return
+      end
+
      log_on_user(user)
      Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
      session[:authentication] = nil # don't carry around old auth info, perhaps move elsewhere