From 2ddabc3928e377ee0757c603c66c4ca767350c40 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 7 Nov 2016 12:48:00 +1100
Subject: [PATCH] FIX: protect against future regressions of google omniauth

---
 lib/auth/google_oauth2_authenticator.rb       |  7 +++--
 .../auth/google_oauth2_authenticator_spec.rb  | 31 +++++++++++++++++--
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/lib/auth/google_oauth2_authenticator.rb b/lib/auth/google_oauth2_authenticator.rb
index c51e5a01d0d..ec1f386ea72 100644
--- a/lib/auth/google_oauth2_authenticator.rb
+++ b/lib/auth/google_oauth2_authenticator.rb
@@ -18,8 +18,11 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
     user_info = GoogleUserInfo.find_by(google_user_id: google_hash[:google_user_id])
     result.user = user_info.try(:user)
 
-    if !result.user && !result.email.blank? && result.user = User.find_by_email(result.email)
-      GoogleUserInfo.create({user_id: result.user.id}.merge(google_hash))
+    if !result.user && !result.email.blank? && result.email_valid
+      result.user = User.find_by_email(result.email)
+      if result.user
+        GoogleUserInfo.create({user_id: result.user.id}.merge(google_hash))
+      end
     end
 
     result
diff --git a/spec/components/auth/google_oauth2_authenticator_spec.rb b/spec/components/auth/google_oauth2_authenticator_spec.rb
index ecf5230d503..db28abfd225 100644
--- a/spec/components/auth/google_oauth2_authenticator_spec.rb
+++ b/spec/components/auth/google_oauth2_authenticator_spec.rb
@@ -6,9 +6,36 @@ load 'auth/google_oauth2_authenticator.rb'
 
 describe Auth::GoogleOAuth2Authenticator do
 
+  it 'does not look up user unless email is verified' do
+    # note, emails that come back from google via omniauth are always valid
+    # this protects against future regressions
+
+    authenticator = Auth::GoogleOAuth2Authenticator.new
+    user = Fabricate(:user)
+
+    hash = {
+      :uid => "123456789",
+      :info => {
+          :name => "John Doe",
+          :email => user.email
+      },
+      :extra => {
+        :raw_info => {
+          :email => user.email,
+          :email_verified => false,
+          :name => "John Doe"
+        }
+      }
+    }
+
+    result = authenticator.after_authenticate(hash)
+
+    expect(result.user).to eq(nil)
+  end
+
   context 'after_authenticate' do
     it 'can authenticate and create a user record for already existing users' do
-      authenticator = described_class.new
+      authenticator = Auth::GoogleOAuth2Authenticator.new
       user = Fabricate(:user)
 
       hash = {
@@ -19,7 +46,7 @@ describe Auth::GoogleOAuth2Authenticator do
         },
         :extra => {
           :raw_info => {
-            :email => "user@domain.example.com",
+            :email => user.email,
             :email_verified => true,
             :name => "John Doe"
           }