github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-05 14:07:30 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

UX: Ignore name parameter from IDP when it is equal to email (#8869)

Browse Source 
Some auth providers (e.g. Auth0 with default configuration) send the email address in the name field. In Discourse, the name field is made public, so this commit adds a safeguard to prevent emails being made public.
This commit is contained in:
David Taylor
2020-02-05 16:03:18 +00:00
committed by GitHub
parent 98303ee645
commit 88779d849f
2 changed files with 15 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/auth/managed_authenticator.rb
View File

@ -92,6 +92,11 @@ class Auth::ManagedAuthenticator < Auth::Authenticator
info = auth_token[:info] info = auth_token[:info]
result.email = info[:email] result.email = info[:email]
result.name = (info[:first_name] && info[:last_name]) ? "#{info[:first_name]} #{info[:last_name]}" : info[:name] result.name = (info[:first_name] && info[:last_name]) ? "#{info[:first_name]} #{info[:last_name]}" : info[:name]
if result.name.present? && result.name == result.email
# Some IDPs send the email address in the name parameter (e.g. Auth0 with default configuration)
# We add some generic protection here, so that users don't accidently make their email addresses public
result.name = nil
end
result.username = info[:nickname] result.username = info[:nickname]
result.email_valid = primary_email_verified?(auth_token) if result.email result.email_valid = primary_email_verified?(auth_token) if result.email
result.extra_data = { result.extra_data = {

14
spec/components/auth/managed_authenticator_spec.rb
View File

@ -12,7 +12,7 @@ describe Auth::ManagedAuthenticator do
} }
let(:hash) { let(:hash) {
{ OmniAuth::AuthHash.new(
provider: "myauth", provider: "myauth",
uid: "1234", uid: "1234",
info: { info: {
@ -28,14 +28,14 @@ describe Auth::ManagedAuthenticator do
randominfo: "some info" randominfo: "some info"
} }
} }
} )
} }
let(:create_hash) { let(:create_hash) {
{ OmniAuth::AuthHash.new(
provider: "myauth", provider: "myauth",
uid: "1234" uid: "1234"
} )
} }
describe 'after_authenticate' do describe 'after_authenticate' do
@ -151,6 +151,12 @@ describe Auth::ManagedAuthenticator do
expect(UserAssociatedAccount.last.user).to eq(nil) expect(UserAssociatedAccount.last.user).to eq(nil)
expect(UserAssociatedAccount.last.info["nickname"]).to eq("IAmGroot") expect(UserAssociatedAccount.last.info["nickname"]).to eq("IAmGroot")
end end
it 'will ignore name when equal to email' do
result = authenticator.after_authenticate(hash.deep_merge(info: { name: hash.info.email }))
expect(result.email).to eq(hash.info.email)
expect(result.name).to eq(nil)
end
end end
describe "avatar on update" do describe "avatar on update" do