From 9eadabe9fc546fdf56cd9db4abeaab8211c414bc Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Fri, 13 May 2022 14:33:28 -0500
Subject: [PATCH] DEV: Let's deny access to sso endpoints when disabled
 consistently (#16752)

---
 app/controllers/session_controller.rb | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 3060fce455e..d1222a0728f 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -17,6 +17,8 @@ class SessionController < ApplicationController
   end
 
   def sso
+    raise Discourse::NotFound unless SiteSetting.enable_discourse_connect?
+
     destination_url = cookies[:destination_url] || session[:destination_url]
     return_path = params[:return_path] || path('/')
 
@@ -28,20 +30,13 @@ class SessionController < ApplicationController
     session.delete(:destination_url)
     cookies.delete(:destination_url)
 
-    if SiteSetting.enable_discourse_connect?
-      sso = DiscourseConnect.generate_sso(return_path, secure_session: secure_session)
-      connect_verbose_warn { "Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}" }
-      redirect_to sso_url(sso), allow_other_host: true
-    else
-      render body: nil, status: 404
-    end
+    sso = DiscourseConnect.generate_sso(return_path, secure_session: secure_session)
+    connect_verbose_warn { "Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}" }
+    redirect_to sso_url(sso), allow_other_host: true
   end
 
   def sso_provider(payload = nil, confirmed_2fa_during_login = false)
-    if !SiteSetting.enable_discourse_connect_provider
-      render body: nil, status: 404
-      return
-    end
+    raise Discourse::NotFound unless SiteSetting.enable_discourse_connect_provider
 
     result = run_second_factor!(
       SecondFactor::Actions::DiscourseConnectProvider,
@@ -120,7 +115,7 @@ class SessionController < ApplicationController
   end
 
   def sso_login
-    raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect
+    raise Discourse::NotFound unless SiteSetting.enable_discourse_connect
     raise Discourse::ReadOnly if @readonly_mode
 
     params.require(:sso)