SECURITY: signup without verified email using Google auth

2025-05-28 01:56:58 +08:00 · 2017-10-16 13:51:35 -04:00
parent 80d0c6df7c
commit 2db66072d7
5 changed files with 46 additions and 4 deletions
--- a/lib/auth/google_oauth2_authenticator.rb
+++ b/lib/auth/google_oauth2_authenticator.rb
@ -31,7 +31,7 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
  def after_create_account(user, auth)
    data = auth[:extra_data]
    GoogleUserInfo.create({ user_id: user.id }.merge(data))
-    if auth[:email_valid].to_s == 'true'
+    if auth[:email_valid].to_s == 'true' && data[:email]&.downcase == user.email
      EmailToken.confirm(user.email_tokens.first.token)
      user.set_automatic_groups
    end