FIX: store information about the login method in the database. (#28054)

Previously in these 2 PRs, we introduced a new site setting `SiteSetting.enforce_second_factor_on_external_auth`. https://github.com/discourse/discourse/pull/27547 https://github.com/discourse/discourse/pull/27674 When disabled, it should enforce 2FA for local login with username and password and skip the requirement when authenticating with oauth2. We stored information about the login method in a secure session but it is not reliable. Therefore, information about the login method is moved to the database.
2025-06-01 02:44:58 +08:00 · 2024-07-24 17:19:58 +10:00
parent 0c13c91f84
commit b64d01bc10
10 changed files with 33 additions and 23 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -86,7 +86,6 @@ class Users::OmniauthCallbacksController < ApplicationController

    cookies["_bypass_cache"] = true
    cookies[:authentication_data] = { value: client_hash.to_json, path: Discourse.base_path("/") }
-    secure_session.set("oauth", true, expires: SiteSetting.maximum_session_age.hours)
    redirect_to @origin
  end

@ -183,7 +182,7 @@ class Users::OmniauthCallbacksController < ApplicationController
        return
      end

-      log_on_user(user)
+      log_on_user(user, { authenticated_with_oauth: true })
      Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
      session[:authentication] = nil # don't carry around old auth info, perhaps move elsewhere
      @auth_result.authenticated = true