UX: Ignore name parameter from IDP when it is equal to email (#8869)

Some auth providers (e.g. Auth0 with default configuration) send the email address in the name field. In Discourse, the name field is made public, so this commit adds a safeguard to prevent emails being made public.
This commit is contained in:
David Taylor
2020-02-05 16:03:18 +00:00
committed by GitHub
parent 98303ee645
commit 88779d849f
2 changed files with 15 additions and 4 deletions

View File

@ -92,6 +92,11 @@ class Auth::ManagedAuthenticator < Auth::Authenticator
info = auth_token[:info]
result.email = info[:email]
result.name = (info[:first_name] && info[:last_name]) ? "#{info[:first_name]} #{info[:last_name]}" : info[:name]
if result.name.present? && result.name == result.email
# Some IDPs send the email address in the name parameter (e.g. Auth0 with default configuration)
# We add some generic protection here, so that users don't accidently make their email addresses public
result.name = nil
end
result.username = info[:nickname]
result.email_valid = primary_email_verified?(auth_token) if result.email
result.extra_data = {