github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:11:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Add support for email whitelist/blacklist to GitHub auth

Browse Source 
If a site is configured for GitHub logins, _**and**_ has an email domain
whitelist, it's possible to get in a state where a new user is locked to
a non-whitelist email (their GitHub primary) even though they have an
alternate email that's on the whitelist.  In all cases, the GitHub
primary email is attempted first so that previously existing behavior
will be the default.

- Add whitelist/blacklist support to GithubAuthenticator (via
  EmailValidator)

- Add multiple email support GithubAuthenticator

- Add test specs for GithubAuthenticator

- Add authenticator-agnostic "none of your email addresses are allowed"
  error message.
This commit is contained in:
Jared Reisinger
2016-09-22 11:31:10 -07:00
parent 92529cd409
commit 2ae7c47a3c
3 changed files with 245 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
lib/auth/github_authenticator.rb
View File

@ -1,18 +1,34 @@
require_dependency 'has_errors'
class Auth::GithubAuthenticator < Auth::Authenticator
def name
"github"
end
class GithubEmailChecker
include ::HasErrors
def initialize(validator, email)
@validator = validator
@email = Email.downcase(email)
end
def valid?()
@validator.validate_each(self, :email, @email)
return errors.blank?
end
end
def after_authenticate(auth_token)
result = Auth::Result.new
data = auth_token[:info]
result.username = screen_name = data[:nickname]
result.name = data[:name]
result.username = screen_name = data["nickname"]
result.email = email = data["email"]
github_user_id = auth_token["uid"]
github_user_id = auth_token[:uid]
result.extra_data = {
github_user_id: github_user_id,
@ -20,20 +36,64 @@ class Auth::GithubAuthenticator < Auth::Authenticator
}
user_info = GithubUserInfo.find_by(github_user_id: github_user_id)
result.email_valid = !!data["email_verified"]
if user_info
# If there's existing user info with the given GitHub ID, that's all we
# need to know.
user = user_info.user
elsif result.email_valid && (user = User.find_by_email(email))
user_info = GithubUserInfo.create(
user_id: user.id,
screen_name: screen_name,
github_user_id: github_user_id
)
result.email = data[:email],
result.email_valid = !!data[:email_verified]
else
# Potentially use *any* of the emails from GitHub to find a match or
# register a new user, with preference given to the primary email.
all_emails = Array.new(auth_token[:extra][:all_emails])
all_emails.unshift({
:email => data[:email],
:verified => !!data[:email_verified]
})
# Only consider verified emails to match an existing user. We don't want
# someone to be able to create a GitHub account with an unverified email
# in order to access someone else's Discourse account!
all_emails.each do |candidate|
if !!candidate[:verified] && (user = User.find_by_email(candidate[:email]))
result.email = candidate[:email]
result.email_valid = !!candidate[:verified]
GithubUserInfo.create(
user_id: user.id,
screen_name: screen_name,
github_user_id: github_user_id
)
break
end
end
# If we *still* don't have a user, check to see if there's an email that
# passes validation (this includes whitelist/blacklist filtering if any is
# configured). When no whitelist/blacklist is in play, this will simply
# choose the primary email since it's at the front of the list.
if !user
validator = EmailValidator.new(attributes: :email)
found_email = false
all_emails.each do |candidate|
checker = GithubEmailChecker.new(validator, candidate[:email])
if checker.valid?
result.email = candidate[:email]
result.email_valid = !!candidate[:verified]
found_email = true
break
end
end
if !found_email
result.failed = true
escaped = Rack::Utils.escape_html(screen_name)
result.failed_reason = I18n.t("login.authenticator_error_no_valid_email", account: escaped)
end
end
end
result.user = user
result
end