Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/controllers/session_controller.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

686 lines
21 KiB
Ruby
Raw Normal View History

DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-02 18:17:27 -04:00
# frozen_string_literal: true
Initial release of Discourse
2013-02-05 14:16:51 -05:00
class SessionController < ApplicationController
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
before_action :check_local_login_allowed, only: %i(create forgot_password)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
before_action :rate_limit_login, only: %i(create email_login)
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
skip_before_action :redirect_to_login_if_required
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login sso_provider destroy one_time_password)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
SECURITY: Only allow users to resend activation email with a valid session. * Improve error when an active user tries to request for an activation email.
2017-03-13 07:19:42 -04:00
ACTIVATE_USER_KEY = "activate_user"
SECURITY: correct our CSRF implementation to be much more aggressive
2013-07-29 01:13:13 -04:00
def csrf
render json: { csrf: form_authenticity_token }
end
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
def sso
FIX: redirects back to origin for SSO and omniauth login
2016-09-15 23:48:50 -04:00
destination_url = cookies[:destination_url] || session[:destination_url]
return_path = params[:return_path] || path('/')
if destination_url && return_path == path('/')
uri = URI::parse(destination_url)
Fix modifying frozen strings errors take 3.
2019-05-13 04:45:23 -04:00
return_path = "#{uri.path}#{uri.query ? "?#{uri.query}" : ""}"
Respect cookie[:destination_url] in Single Sign On When the login_required setting is true, the destination URL is dropped. This change means it will be respected at login time
2015-06-02 07:29:27 -04:00
end
FIX: redirects back to origin for SSO and omniauth login
2016-09-15 23:48:50 -04:00
session.delete(:destination_url)
cookies.delete(:destination_url)
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.enable_discourse_connect?
SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124)
2021-02-18 05:35:10 -05:00
sso = DiscourseSingleSignOn.generate_sso(return_path, secure_session: secure_session)
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.verbose_discourse_connect_logging
FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures
2016-04-07 21:20:01 -04:00
Rails.logger.warn("Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}")
end
FIX: Correct server error for starting SSO login, and add spec (#12010) Followup to 821bb1e8cb72bee56cf5c2a878043112cc7ea2fd
2021-02-08 05:59:43 -05:00
redirect_to sso_url(sso)
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
else
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil, status: 404
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
end
end
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
def sso_provider(payload = nil)
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.enable_discourse_connect_provider
FIX: Better error when SSO fails due to blank secret (#7946) * FIX: Better error when SSO fails due to blank secret * Update spec/requests/session_controller_spec.rb Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 10:37:23 -04:00
begin
DEV: improves error message when sso param is not passed (#8549) SingleSignOnProvider is expecting a sso param later in the chain. If sso param is not found it will cause a 500 with the following exception: `NoMethodError (undefined method `unpack1' for nil:NilClass)` as `set_return_sso_url` is attempting to decode it: https://github.com/discourse/discourse/blob/master/lib/single_sign_on_provider.rb#L19
2019-12-16 06:33:24 -05:00
if !payload
params.require(:sso)
payload = request.query_string
end
FIX: Better error when SSO fails due to blank secret (#7946) * FIX: Better error when SSO fails due to blank secret * Update spec/requests/session_controller_spec.rb Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 10:37:23 -04:00
sso = SingleSignOnProvider.parse(payload)
rescue SingleSignOnProvider::BlankSecret
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render plain: I18n.t("discourse_connect.missing_secret"), status: 400
FIX: Better error when SSO fails due to blank secret (#7946) * FIX: Better error when SSO fails due to blank secret * Update spec/requests/session_controller_spec.rb Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 10:37:23 -04:00
return
FIX: Handle SSO Provider Parse exception Prevent unnecessary 500 errors from appearing in the logs and return a 422 response instead.
2020-02-12 18:03:25 -05:00
rescue SingleSignOnProvider::ParseError => e
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.verbose_discourse_connect_logging
FIX: Handle SSO Provider Parse exception Prevent unnecessary 500 errors from appearing in the logs and return a 422 response instead.
2020-02-12 18:03:25 -05:00
Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
end
# Do NOT pass the error text to the client, it would give them the correct signature
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render plain: I18n.t("discourse_connect.login_error"), status: 422
FIX: Handle SSO Provider Parse exception Prevent unnecessary 500 errors from appearing in the logs and return a 422 response instead.
2020-02-12 18:03:25 -05:00
return
FIX: Better error when SSO fails due to blank secret (#7946) * FIX: Better error when SSO fails due to blank secret * Update spec/requests/session_controller_spec.rb Co-Authored-By: Robin Ward <robin.ward@gmail.com>
2019-07-26 10:37:23 -04:00
end
FIX: redirect users after signing up using SSO provider
2018-05-11 18:41:27 -04:00
if sso.return_sso_url.blank?
render plain: "return_sso_url is blank, it must be provided", status: 400
return
end
FEATURE: Add logout functionality to SSO Provider protocol (#8816) This commit adds support for an optional "logout" parameter in the payload of the /session/sso_provider endpoint. If an SSO Consumer adds a "logout=true" parameter to the encoded/signed "sso" payload, then Discourse will treat the request as a logout request instead of an authentication request. The logout flow works something like this: * User requests logout at SSO-Consumer site (e.g., clicks "Log me out!" on web browser). * SSO-Consumer site does whatever it does to destroy User's session on the SSO-Consumer site. * SSO-Consumer then redirects browser to the Discourse sso_provider endpoint, with a signed request bearing "logout=true" in addition to the usual nonce and the "return_sso_url". * Discourse destroys User's discourse session and redirects browser back to the "return_sso_url". * SSO-Consumer site does whatever it does --- notably, it cannot request SSO credentials from Discourse without the User being prompted to login again.
2020-02-03 12:53:14 -05:00
if sso.logout
params[:return_url] = sso.return_sso_url
destroy
return
end
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
if current_user
sso.name = current_user.name
sso.username = current_user.username
sso.email = current_user.email
sso.external_id = current_user.id.to_s
Add admin and moderator state to sso provider
2014-11-26 20:24:21 -05:00
sso.admin = current_user.admin?
sso.moderator = current_user.moderator?
array is not supported here, use a simple comma delimited list
2018-04-10 00:37:10 -04:00
sso.groups = current_user.groups.pluck(:name).join(",")
FIX: sso provider require return_sso_url
2017-03-22 09:08:38 -04:00
FIX: redirect users after signing up using SSO provider
2018-05-11 18:41:27 -04:00
if current_user.uploaded_avatar.present?
FIX: avatar_url includes upload_path twice when local storage used
2018-06-06 08:57:30 -04:00
base_url = Discourse.store.external? ? "#{Discourse.store.absolute_base_url}/" : Discourse.base_url
avatar_url = "#{base_url}#{Discourse.store.get_path_for_upload(current_user.uploaded_avatar)}"
FIX: redirect users after signing up using SSO provider
2018-05-11 18:41:27 -04:00
sso.avatar_url = UrlHelper.absolute Discourse.store.cdn_url(avatar_url)
end
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table.
2019-04-28 23:58:52 -04:00
if current_user.user_profile.profile_background_upload.present?
sso.profile_background_url = UrlHelper.absolute(upload_cdn_path(
current_user.user_profile.profile_background_upload.url
))
FIX: redirect users after signing up using SSO provider
2018-05-11 18:41:27 -04:00
end
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table.
2019-04-28 23:58:52 -04:00
if current_user.user_profile.card_background_upload.present?
sso.card_background_url = UrlHelper.absolute(upload_cdn_path(
current_user.user_profile.card_background_upload.url
))
FIX: sso provider require return_sso_url
2017-03-22 09:08:38 -04:00
end
FIX: redirect to return_url when working as SSO provider
2015-10-25 01:00:19 -04:00
if request.xhr?
cookies[:sso_destination_url] = sso.to_url(sso.return_sso_url)
else
redirect_to sso.to_url(sso.return_sso_url)
end
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
else
FIX: redirect users after signing up using SSO provider
2018-05-11 18:41:27 -04:00
cookies[:sso_payload] = request.query_string
FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-08 20:45:36 -04:00
redirect_to path('/login')
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
end
else
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil, status: 404
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
end
end
Added easy impersonate route while in development mode
2014-10-07 12:25:25 -04:00
# For use in development mode only when login options could be limited or disabled.
# NEVER allow this to work in production.
Simplify log in for request specs.
2018-03-27 23:31:43 -04:00
if !Rails.env.production?
SECURITY: Don't expose development route in production.
2018-03-27 23:22:43 -04:00
skip_before_action :check_xhr, only: [:become]
Added easy impersonate route while in development mode
2014-10-07 12:25:25 -04:00
SECURITY: Don't expose development route in production.
2018-03-27 23:22:43 -04:00
def become
DEV: by default disable anon impersonation in dev environments The impersonate any user by anonymous feature in dev should require a deliberate opt-in. This way developers are better aware of the security implications of this development only feature.
2019-06-02 20:02:10 -04:00
SECURITY: Don't expose development route in production.
2018-03-27 23:22:43 -04:00
raise Discourse::InvalidAccess if Rails.env.production?
DEV: by default disable anon impersonation in dev environments The impersonate any user by anonymous feature in dev should require a deliberate opt-in. This way developers are better aware of the security implications of this development only feature.
2019-06-02 20:02:10 -04:00
if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1"
render(content_type: 'text/plain', inline: <<~TEXT)
To enable impersonating any user without typing passwords set the following ENV var
export DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE=1
You can do that in your bashrc of bash profile file or the script you use to launch the web server
TEXT
return
end
SECURITY: Don't expose development route in production.
2018-03-27 23:22:43 -04:00
user = User.find_by_username(params[:session_id])
raise "User #{params[:session_id]} not found" if user.blank?
log_on_user(user)
redirect_to path("/")
end
Added easy impersonate route while in development mode
2014-10-07 12:25:25 -04:00
end
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
def sso_login
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
DEV: Require sso and sig query string params for sso_login
2018-10-11 19:33:30 -04:00
params.require(:sso)
params.require(:sig)
FIX: Return 422 instead of 500 for invalid SSO signature (#6738)
2018-12-07 10:01:44 -05:00
begin
SECURITY: Attach DiscourseConnect (SSO) nonce to current session (#12124)
2021-02-18 05:35:10 -05:00
sso = DiscourseSingleSignOn.parse(request.query_string, secure_session: secure_session)
FIX: Return 422 instead of 500 for invalid SSO signature (#6738)
2018-12-07 10:01:44 -05:00
rescue DiscourseSingleSignOn::ParseError => e
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.verbose_discourse_connect_logging
FIX: skip adding sso diagnostics if sso object is nil
2018-12-19 10:24:35 -05:00
Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
FIX: Return 422 instead of 500 for invalid SSO signature (#6738)
2018-12-07 10:01:44 -05:00
end
# Do NOT pass the error text to the client, it would give them the correct signature
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
return render_sso_error(text: I18n.t("discourse_connect.login_error"), status: 422)
FIX: Return 422 instead of 500 for invalid SSO signature (#6738)
2018-12-07 10:01:44 -05:00
end
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
if !sso.nonce_valid?
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.verbose_discourse_connect_logging
FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures
2016-04-07 21:20:01 -04:00
Rails.logger.warn("Verbose SSO log: Nonce has already expired\n\n#{sso.diagnostics}")
end
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
return render_sso_error(text: I18n.t("discourse_connect.timeout_expired"), status: 419)
FIX: If an IP is blocked, don't allow people to login using it
2015-02-25 15:59:11 -05:00
end
if ScreenedIpAddress.should_block?(request.remote_ip)
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.verbose_discourse_connect_logging
FEATURE: verbose SSO logging By enabling the site setting verbose_sso_logging you can log information every time a user tries initiates SSO and during SSO failures
2016-04-07 21:20:01 -04:00
Rails.logger.warn("Verbose SSO log: IP address is blocked #{request.remote_ip}\n\n#{sso.diagnostics}")
end
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
return render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500)
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
end
FEATURE: SSO to handle return_path automatically
2014-02-25 17:58:30 -05:00
return_path = sso.return_path
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
sso.expire_nonce!
Add more SSO logging for failure conditions
2014-11-23 18:02:22 -05:00
begin
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
invite = validate_invitiation!(sso)
FIX: SSO code should respect IP address filters
2015-02-23 15:58:45 -05:00
if user = sso.lookup_or_create_user(request.remote_ip)
FIX: add error for suspended users attempting to login via sso
2017-11-14 00:52:00 -05:00
if user.suspended?
FEATURE: use failed_to_login for SSO error (#7394) The error displayed when logging into suspended accounts via SSO never includes the suspension reason, unlike non-SSO logins. By re-using the failed_to_login method when generating the error message for SSO we can ensure the message is consistent between the SSO and non-SSO paths.
2019-04-24 02:38:56 -04:00
render_sso_error(text: failed_to_login(user)[:error], status: 403)
FIX: add error for suspended users attempting to login via sso
2017-11-14 00:52:00 -05:00
return
end
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
# users logging in via SSO using an invite do not need to be approved,
# they are already pre-approved because they have been invited
if SiteSetting.must_approve_users? && !user.approved? && invite.blank?
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.discourse_connect_not_approved_url.present?
redirect_to SiteSetting.discourse_connect_not_approved_url
FEATURE: custom url to redirect to on account pending approval for sso
2015-05-27 00:06:45 -04:00
else
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render_sso_error(text: I18n.t("discourse_connect.account_not_approved"), status: 403)
FEATURE: custom url to redirect to on account pending approval for sso
2015-05-27 00:06:45 -04:00
end
Stop sso login processing after rendering error This prevents a DoubleRenderError triggered on the redirect_to.
2015-05-11 08:17:32 -04:00
return
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
# we only want to redeem the invite if
# the user has not already redeemed an invite
# (covers the same SSO user visiting an invite link)
elsif invite.present? && user.invited_user.blank?
redeem_invitation(invite, sso)
# we directly call user.activate here instead of going
# through the UserActivator path because we assume the account
# is valid from the SSO provider's POV and do not need to
# send an activation email to the user
user.activate
login_sso_user(sso, user)
topic = invite.topics.first
return_path = topic.present? ? path(topic.relative_url) : path("/")
Use session controller to prevent inactive SSO users
2015-05-15 13:01:30 -04:00
elsif !user.active?
activation = UserActivator.new(user, request, session, cookies)
activation.finish
session["user_created_message"] = activation.message
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
return redirect_to(users_account_created_path)
Add more SSO logging for failure conditions
2014-11-23 18:02:22 -05:00
else
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
login_sso_user(sso, user)
Add more SSO logging for failure conditions
2014-11-23 18:02:22 -05:00
end
SECURITY: The SSO `return_path` was an open redirect This security fix needs SSO to be configured, and the user has to go through the entire auth process before being redirected to the wrong host so it is probably lower priority for most installs.
2015-01-22 12:20:17 -05:00
# If it's not a relative URL check the host
if return_path !~ /^\/[^\/]/
begin
uri = URI(return_path)
Improve redirect avoidance for /sso paths e6b3310577582fc702913ac084d41bdf7006439d was missing an ege case where return url included current_hostname
2018-11-09 01:03:42 -05:00
if (uri.hostname == Discourse.current_hostname)
SECURITY: properly validate return URL for SSO Previously carefully crafted URLs could redirect off site
2019-03-24 18:02:42 -04:00
return_path = uri.to_s
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
elsif !SiteSetting.discourse_connect_allows_all_return_paths
Improve redirect avoidance for /sso paths e6b3310577582fc702913ac084d41bdf7006439d was missing an ege case where return url included current_hostname
2018-11-09 01:03:42 -05:00
return_path = path("/")
end
SECURITY: The SSO `return_path` was an open redirect This security fix needs SSO to be configured, and the user has to go through the entire auth process before being redirected to the wrong host so it is probably lower priority for most installs.
2015-01-22 12:20:17 -05:00
rescue
FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish
2015-03-08 20:45:36 -04:00
return_path = path("/")
SECURITY: The SSO `return_path` was an open redirect This security fix needs SSO to be configured, and the user has to go through the entire auth process before being redirected to the wrong host so it is probably lower priority for most installs.
2015-01-22 12:20:17 -05:00
end
end
SECURITY: properly validate return URL for SSO Previously carefully crafted URLs could redirect off site
2019-03-24 18:02:42 -04:00
# this can be done more surgically with a regex
# but it the edge case of never supporting redirects back to
# any url with `/session/sso` in it anywhere is reasonable
if return_path.include?(path("/session/sso"))
FIX: never redirect back to `/sso` it will cause a loop If for any reason our return url is set to `/sso` bypass using it for login redirect
2018-11-08 22:27:36 -05:00
return_path = path("/")
end
Add more SSO logging for failure conditions
2014-11-23 18:02:22 -05:00
redirect_to return_path
BUGFIX: sso to respect must_approve_users
2014-02-25 18:27:39 -05:00
else
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render_sso_error(text: I18n.t("discourse_connect.not_found"), status: 500)
BUGFIX: sso to respect must_approve_users
2014-02-25 18:27:39 -05:00
end
FIX: Don't log validation errors for sso
2016-03-23 13:30:38 -04:00
rescue ActiveRecord::RecordInvalid => e
Custom errors for when Email is invalid via SSO
2017-03-21 14:37:21 -04:00
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
if SiteSetting.verbose_discourse_connect_logging
Improve SSO verbose log when user record is invalid.
2017-04-12 23:39:26 -04:00
Rails.logger.warn(<<~EOF)
Verbose SSO log: Record was invalid: #{e.record.class.name} #{e.record.id}
#{e.record.errors.to_h}
Attributes:
#{e.record.attributes.slice(*SingleSignOn::ACCESSORS.map(&:to_s))}
SSO Diagnostics:
#{sso.diagnostics}
Log RecordInvalid when verbose_sso_logging enabled
2016-06-30 01:12:25 -04:00
EOF
end
Custom errors for when Email is invalid via SSO
2017-03-21 14:37:21 -04:00
text = nil
# If there's a problem with the email we can explain that
FIX: Improve email validation error handling for external logins (#11307) - Display reason for validation error when logging in via an authenticator - Fix email validation handling for 'Discourse SSO', and add a spec Previously, validation errors (e.g. blocked or already-taken emails) would raise a generic error with no useful information.
2020-11-23 06:06:08 -05:00
if (e.record.is_a?(User) && e.record.errors[:primary_email].present?)
Display email address in SSO error message.
2017-03-21 15:37:46 -04:00
if e.record.email.blank?
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
text = I18n.t("discourse_connect.no_email")
Display email address in SSO error message.
2017-03-21 15:37:46 -04:00
else
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
text = I18n.t("discourse_connect.email_error", email: ERB::Util.html_escape(e.record.email))
Display email address in SSO error message.
2017-03-21 15:37:46 -04:00
end
Custom errors for when Email is invalid via SSO
2017-03-21 14:37:21 -04:00
end
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render_sso_error(text: text || I18n.t("discourse_connect.unknown_error"), status: 500)
DEV: reduce logging when no external id is specified Previously we were returning an unknown sso error and logging a message when external id was blank. This noise is not needed.
2020-04-07 22:42:28 -04:00
rescue DiscourseSingleSignOn::BlankExternalId
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render_sso_error(text: I18n.t("discourse_connect.blank_id_error"), status: 500)
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
rescue Invite::ValidationFailed => e
render_sso_error(text: e.message, status: 400)
rescue Invite::RedemptionFailed => e
render_sso_error(text: I18n.t("discourse_connect.invite_redeem_failed"), status: 412)
rescue Invite::UserExists => e
render_sso_error(text: e.message, status: 412)
Add more SSO logging for failure conditions
2014-11-23 18:02:22 -05:00
rescue => e
Fix modifying frozen strings errors take 3.
2019-05-13 04:45:23 -04:00
message = +"Failed to create or lookup user: #{e}."
Just use space to prettify SSO verbose error logging.
2017-11-30 02:08:53 -05:00
message << " "
message << " #{sso.diagnostics}"
message << " "
message << " #{e.backtrace.join("\n")}"
better logs when an error happens in SSO
2016-02-24 15:57:01 -05:00
Rails.logger.error(message)
Add more SSO logging for failure conditions
2014-11-23 18:02:22 -05:00
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500)
FEATURE: single sign on support Added support for outsourcing auth to a different website, documentation on meta
2014-02-24 22:30:49 -05:00
end
end
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
def login_sso_user(sso, user)
if SiteSetting.verbose_discourse_connect_logging
Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
end
log_on_user(user) if user.id != current_user&.id
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def create
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 03:14:32 -04:00
params.require(:login)
params.require(:password)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
SECURITY: Limit passwords to 200 characters Prevents layer 8 attack.
2014-09-11 15:22:11 -04:00
return invalid_credentials if params[:password].length > User.max_password_length
DEV: Move logic for rate limiting user second factor to one place (#11941) This moves all the rate limiting for user second factor (based on `params[:second_factor_token]` existing) to the one place, which rate limits by IP and also by username if a user is found.
2021-02-03 18:03:30 -05:00
user = User.find_by_username_or_email(normalized_login_param)
rate_limit_second_factor!(user)
if user.present?
Initial release of Discourse
2013-02-05 14:16:51 -05:00
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
# If their password is correct
unless user.confirm_password?(params[:password])
invalid_credentials
return
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
# If the site requires user approval and the user is not approved yet
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
if login_not_approved_for?(user)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
render json: login_not_approved
Initial release of Discourse
2013-02-05 14:16:51 -05:00
return
end
fix exception in logs
2013-11-27 20:39:59 -05:00
Invite link can't be used to log in after you set a password or sign in with 3rd party
2014-01-21 16:53:46 -05:00
# User signed on with username and password, so let's prevent the invite link
# from being used to log in (if one exists).
Invite.invalidate_for_email(user.email)
fix exception in logs
2013-11-27 20:39:59 -05:00
else
invalid_credentials
return
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
if payload = login_error_check(user)
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
return render json: payload
end
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3.
2018-02-20 01:44:51 -05:00
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
if !authenticate_second_factor(user)
return render(json: @second_factor_failure_payload)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Webauthn authenticator management with 2FA login (Security Keys) (#8099) Adds 2 factor authentication method via second factor security keys over [web authn](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API). Allows a user to authenticate a second factor on login, login-via-email, admin-login, and change password routes. Adds registration area within existing user second factor preferences to register multiple security keys. Supports both external (yubikey) and built-in (macOS/android fingerprint readers).
2019-10-01 22:08:41 -04:00
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
(user.active && user.email_confirmed?) ? login(user) : not_activated(user)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
def email_login_info
token = params[:token]
matched_token = EmailToken.confirmable(token)
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
user = matched_token&.user
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
check_local_login_allowed(user: user, check_login_via_email: true)
DEV: Remove redundant admin_login route, share with email_login
2020-01-12 21:10:07 -05:00
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
if matched_token
response = {
can_login: true,
token: token,
token_email: matched_token.email
}
FEATURE: Webauthn authenticator management with 2FA login (Security Keys) (#8099) Adds 2 factor authentication method via second factor security keys over [web authn](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API). Allows a user to authenticate a second factor on login, login-via-email, admin-login, and change password routes. Adds registration area within existing user second factor preferences to register multiple security keys. Supports both external (yubikey) and built-in (macOS/android fingerprint readers).
2019-10-01 22:08:41 -04:00
matched_user = matched_token.user
if matched_user&.totp_enabled?
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
response.merge!(
second_factor_required: true,
FEATURE: Webauthn authenticator management with 2FA login (Security Keys) (#8099) Adds 2 factor authentication method via second factor security keys over [web authn](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API). Allows a user to authenticate a second factor on login, login-via-email, admin-login, and change password routes. Adds registration area within existing user second factor preferences to register multiple security keys. Supports both external (yubikey) and built-in (macOS/android fingerprint readers).
2019-10-01 22:08:41 -04:00
backup_codes_enabled: matched_user&.backup_codes_enabled?
)
end
if matched_user&.security_keys_enabled?
SECURITY: Improve second factor auth logic
2020-01-09 19:45:56 -05:00
Webauthn.stage_challenge(matched_user, secure_session)
FEATURE: Webauthn authenticator management with 2FA login (Security Keys) (#8099) Adds 2 factor authentication method via second factor security keys over [web authn](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API). Allows a user to authenticate a second factor on login, login-via-email, admin-login, and change password routes. Adds registration area within existing user second factor preferences to register multiple security keys. Supports both external (yubikey) and built-in (macOS/android fingerprint readers).
2019-10-01 22:08:41 -04:00
response.merge!(
SECURITY: Improve second factor auth logic
2020-01-09 19:45:56 -05:00
Webauthn.allowed_credentials(matched_user, secure_session).merge(security_key_required: true)
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
)
end
render json: response
else
render json: {
can_login: false,
error: I18n.t('email_login.invalid_token')
}
end
end
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
def email_login
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3.
2018-02-20 01:44:51 -05:00
token = params[:token]
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
matched_token = EmailToken.confirmable(token)
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
user = matched_token&.user
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3.
2018-02-20 01:44:51 -05:00
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
check_local_login_allowed(user: user, check_login_via_email: true)
DEV: Remove redundant admin_login route, share with email_login
2020-01-12 21:10:07 -05:00
DEV: Move logic for rate limiting user second factor to one place (#11941) This moves all the rate limiting for user second factor (based on `params[:second_factor_token]` existing) to the one place, which rate limits by IP and also by username if a user is found.
2021-02-03 18:03:30 -05:00
rate_limit_second_factor!(user)
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
if user.present? && !authenticate_second_factor(user)
return render(json: @second_factor_failure_payload)
FIX: Invalid token error incorrectly displayed on email login page.
2018-02-21 02:46:53 -05:00
end
if user = EmailToken.confirm(token)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
if login_not_approved_for?(user)
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
return render json: login_not_approved
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
elsif payload = login_error_check(user)
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
return render json: payload
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
else
FIX: Missing timezone guess on email session login (#9404) Timezone is guessed by moment.js if unset upon a normal login, but was not when logging in via an email link. This adds logic to update a guessed timezone upon email login so timezones don't end up blank.
2020-04-10 14:19:39 -04:00
user.update_timezone_if_missing(params[:timezone])
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
log_on_user(user)
SECURITY: Add confirmation screen when logging in via email link
2019-06-12 10:37:26 -04:00
return render json: success_json
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
end
UX: improve message when admin login is blocked because of admin ip address whitelisting
2015-03-02 12:13:10 -05:00
end
Review Changes for https://github.com/discourse/discourse/pull/5612/commits/f4f8a293e74e6a37c7bee7645d9ca1d72a7d5bd3.
2018-02-20 01:44:51 -05:00
DEV: Apply Rubocop redundant return style
2019-11-14 15:10:51 -05:00
render json: { error: I18n.t('email_login.invalid_token') }
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: Delegated authentication via user api keys (#7272)
2019-04-01 13:18:53 -04:00
def one_time_password
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
@otp_username = otp_username = Discourse.redis.get "otp_#{params[:token]}"
FEATURE: Delegated authentication via user api keys (#7272)
2019-04-01 13:18:53 -04:00
if otp_username && user = User.find_by_username(otp_username)
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-12 13:32:13 -04:00
if current_user&.username == otp_username
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
Discourse.redis.del "otp_#{params[:token]}"
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-12 13:32:13 -04:00
return redirect_to path("/")
elsif request.post?
log_on_user(user)
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables.
2019-12-03 04:05:53 -05:00
Discourse.redis.del "otp_#{params[:token]}"
SECURITY: Add confirmation screen when logging in via user-api OTP
2019-06-12 13:32:13 -04:00
return redirect_to path("/")
else
# Display the form
end
FEATURE: Delegated authentication via user api keys (#7272)
2019-04-01 13:18:53 -04:00
else
@error = I18n.t('user_api_key.invalid_token')
end
UX: Hide login/signup header buttons during authentication flows
2019-08-08 08:57:18 -04:00
render layout: 'no_ember', locals: { hide_auth_buttons: true }
FEATURE: Delegated authentication via user api keys (#7272)
2019-04-01 13:18:53 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def forgot_password
Enabled strong_parameters across all models/controllers. All models are now using ActiveModel::ForbiddenAttributesProtection, which shifts the responsibility for parameter whitelisting for mass-assignments from the model to the controller. attr_accessible has been disabled and removed as this functionality replaces that. The require_parameters method in the ApplicationController has been removed in favor of strong_parameters' #require method. It is important to note that there is still some refactoring required to get all parameters to pass through #require and #permit so that we can guarantee that parameter values are scalar. Currently strong_parameters, in most cases, is only being utilized to require parameters and to whitelist the few places that do mass-assignments.
2013-06-06 03:14:32 -04:00
params.require(:login)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
FEATURE: tighten rate limiting rules for forgot password 1. Total 6 attempts per day per user 2. Total of 5 per unique email/login that is not found per hour 3. If an admin blocks an IP that IP can not request a reset
2020-05-07 23:30:16 -04:00
if ScreenedIpAddress.should_block?(request.remote_ip)
return render_json_error(I18n.t("login.reset_not_allowed_from_ip_address"))
end
FIX: rate limit password reset email
2014-08-17 20:55:30 -04:00
RateLimiter.new(nil, "forgot-password-hr-#{request.remote_ip}", 6, 1.hour).performed!
RateLimiter.new(nil, "forgot-password-min-#{request.remote_ip}", 3, 1.minute).performed!
SECURITY: Rate limit MFA by login if possible (#11938) This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.
2021-02-02 18:26:28 -05:00
user = User.find_by_username_or_email(normalized_login_param)
FEATURE: tighten rate limiting rules for forgot password 1. Total 6 attempts per day per user 2. Total of 5 per unique email/login that is not found per hour 3. If an admin blocks an IP that IP can not request a reset
2020-05-07 23:30:16 -04:00
if user
RateLimiter.new(nil, "forgot-password-login-day-#{user.username}", 6, 1.day).performed!
else
SECURITY: Rate limit MFA by login if possible (#11938) This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.
2021-02-02 18:26:28 -05:00
RateLimiter.new(nil, "forgot-password-login-hour-#{normalized_login_param}", 5, 1.hour).performed!
FEATURE: tighten rate limiting rules for forgot password 1. Total 6 attempts per day per user 2. Total of 5 per unique email/login that is not found per hour 3. If an admin blocks an IP that IP can not request a reset
2020-05-07 23:30:16 -04:00
end
`human?` helper method on a user This is cleaner than hard coding `id > 0` in ruby code.
2019-02-08 13:34:54 -05:00
user_presence = user.present? && user.human? && !user.staged
disable sending email or show presence when forgot system user password
2014-12-10 01:17:49 -05:00
if user_presence
Initial release of Discourse
2013-02-05 14:16:51 -05:00
email_token = user.email_tokens.create(email: user.email)
FEATURE: move more urgent emails notifications to critical queue Move signup, admin login and password change email notifications to critical queue
2016-04-07 00:38:43 -04:00
Jobs.enqueue(:critical_user_email, type: :forgot_password, user_id: user.id, email_token: email_token.token)
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FEATURE: inform users if forgot password works or not FIX: flash dialog in forgot password often had wrong color (this can be disabled by setting forgot_password_verbose to false)
2014-09-10 22:04:44 -04:00
Prefer `success_Json` over custom success JSON payload.
2018-02-14 18:46:33 -05:00
json = success_json
rename forgot_password_strict to hide_email_address_taken
2017-10-03 15:28:15 -04:00
unless SiteSetting.hide_email_address_taken
disable sending email or show presence when forgot system user password
2014-12-10 01:17:49 -05:00
json[:user_found] = user_presence
FEATURE: inform users if forgot password works or not FIX: flash dialog in forgot password often had wrong color (this can be disabled by setting forgot_password_verbose to false)
2014-09-10 22:04:44 -04:00
end
render json: json
FIX: rate limit password reset email
2014-08-17 20:55:30 -04:00
rescue RateLimiter::LimitExceeded
render_json_error(I18n.t("rate_limiter.slow_down"))
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
API endpoint for retrieving the current user
2014-02-05 13:46:24 -05:00
def current
if current_user.present?
render_serialized(current_user, CurrentUserSerializer)
else
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
render body: nil, status: 404
API endpoint for retrieving the current user
2014-02-05 13:46:24 -05:00
end
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
def destroy
DEV: Move logout redirect logic to server and add plugin hook (#11199) This will allow authentication plugins to provide single-logout functionality by redirect users to the identity provider after logout.
2020-11-11 10:47:42 -05:00
redirect_url = params[:return_url].presence || SiteSetting.logout_redirect.presence
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
sso = SiteSetting.enable_discourse_connect
DEV: Move logout redirect logic to server and add plugin hook (#11199) This will allow authentication plugins to provide single-logout functionality by redirect users to the identity provider after logout.
2020-11-11 10:47:42 -05:00
only_one_authenticator = !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
FIX: Logout redirect should only be `/login` for login_required sites (#11466) 25563357 moved the logout redirect logic from the client-side to the server-side. Unfortunately the login_required check was lost during the refactoring which meant that non-login-required sites would redirect to `/login` after redirect, and immediately restart the login process. Depending on the SSO implementation, that can make it impossible for users to log out cleanly. This commit restores the login_required check, and prevents the potential redirect loop.
2020-12-11 04:44:16 -05:00
if SiteSetting.login_required && (sso || only_one_authenticator)
DEV: Move logout redirect logic to server and add plugin hook (#11199) This will allow authentication plugins to provide single-logout functionality by redirect users to the identity provider after logout.
2020-11-11 10:47:42 -05:00
# In this situation visiting most URLs will start the auth process again
# Go to the `/login` page to avoid an immediate redirect
redirect_url ||= path("/login")
end
redirect_url ||= path("/")
event_data = { redirect_url: redirect_url, user: current_user }
DiscourseEvent.trigger(:before_session_destroy, event_data)
redirect_url = event_data[:redirect_url]
recover from bad CSRF tokens without requiring a hard refresh of the browser
2013-08-27 01:56:12 -04:00
reset_session
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278
2013-10-09 00:10:37 -04:00
log_off_user
FEATURE: simpler and friendlier unsubscribe workflow - All unsubscribes go to the exact same page - You may unsubscribe from watching a category on that page - You no longer need to be logged in to unsubscribe from a topic - Simplified footer on emails
2016-06-16 21:27:52 -04:00
if request.xhr?
DEV: Move logout redirect logic to server and add plugin hook (#11199) This will allow authentication plugins to provide single-logout functionality by redirect users to the identity provider after logout.
2020-11-11 10:47:42 -05:00
render json: {
redirect_url: redirect_url
}
FEATURE: simpler and friendlier unsubscribe workflow - All unsubscribes go to the exact same page - You may unsubscribe from watching a category on that page - You no longer need to be logged in to unsubscribe from a topic - Simplified footer on emails
2016-06-16 21:27:52 -04:00
else
DEV: Move logout redirect logic to server and add plugin hook (#11199) This will allow authentication plugins to provide single-logout functionality by redirect users to the identity provider after logout.
2020-11-11 10:47:42 -05:00
redirect_to redirect_url
FEATURE: simpler and friendlier unsubscribe workflow - All unsubscribes go to the exact same page - You may unsubscribe from watching a category on that page - You no longer need to be logged in to unsubscribe from a topic - Simplified footer on emails
2016-06-16 21:27:52 -04:00
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end
FIX: move hp request from /users to /token (#10795) `hp` is a valid username and we should not prevent users from registering it.
2020-10-01 19:01:40 -04:00
def get_honeypot_value
secure_session.set(HONEYPOT_KEY, honeypot_value, expires: 1.hour)
secure_session.set(CHALLENGE_KEY, challenge_value, expires: 1.hour)
render json: {
value: honeypot_value,
challenge: challenge_value,
expires_in: SecureSession.expiry
}
end
Spec for local auth check
2017-08-16 01:43:05 -04:00
protected
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
SECURITY: Rate limit MFA by login if possible (#11938) This ensures we rate limit on logins where possible, we also normalize logins for the rate limiters centrally.
2021-02-02 18:26:28 -05:00
def normalized_login_param
login = params[:login].to_s
if login.present?
login = login[1..-1] if login[0] == "@"
User.normalize_username(login.strip)[0..100]
else
nil
end
end
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
def check_local_login_allowed(user: nil, check_login_via_email: false)
# admin-login can get around enabled SSO/disabled local logins
return if user&.admin?
if (check_login_via_email && !SiteSetting.enable_local_logins_via_email) ||
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.enable_discourse_connect ||
Fix broken admin login fro SSO enabled sites (#8737) * When we refactored away the admin-login route we introduced a bug where admins could not log into an SSO enabled site, because of a check in the email_login route that disallowed this. * Allow admin to get around this check.
2020-01-16 20:25:31 -05:00
!SiteSetting.enable_local_logins
DEV: Respond with 403 instead of 500 for disabled local login via email Previously if local login via email was disabled because of the site setting or because SSO was enabled, we were raising a 500 error. We now raise a 403 error instead; we shouldn't raise 500 errors on purpose, instead keeping that code for unhandled errors. It doesn't make sense in the context of what we are validating either to raise a 500.
2020-01-20 01:11:58 -05:00
raise Discourse::InvalidAccess, "SSO takes over local login or the local login is disallowed."
Spec for local auth check
2017-08-16 01:43:05 -04:00
end
SECURITY: when enabled_local_logins is false users could log in via API thanks @Nicholas Blanco
2014-03-26 00:39:44 -04:00
end
Spec for local auth check
2017-08-16 01:43:05 -04:00
private
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
def authenticate_second_factor(user)
second_factor_authentication_result = user.authenticate_second_factor(params, secure_session)
if !second_factor_authentication_result.ok
failure_payload = second_factor_authentication_result.to_h
if user.security_keys_enabled?
Webauthn.stage_challenge(user, secure_session)
failure_payload.merge!(Webauthn.allowed_credentials(user, secure_session))
end
@second_factor_failure_payload = failed_json.merge(failure_payload)
return false
end
true
end
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
def login_error_check(user)
return failed_to_login(user) if user.suspended?
if ScreenedIpAddress.should_block?(request.remote_ip)
return not_allowed_from_ip_address(user)
end
if ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
DEV: update rubocop to version 0.77 We like to stay as close as possible to latest with rubocop cause the cops get better. This update required some code changes, specifically the default is to avoid explicit returns where implicit is done Also this renames a few rules
2019-12-09 19:48:27 -05:00
admin_not_allowed_from_ip_address(user)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
end
end
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
def login_not_approved_for?(user)
SiteSetting.must_approve_users? && !user.approved? && !user.admin?
end
def invalid_credentials
render json: { error: I18n.t("login.incorrect_username_email_or_password") }
end
def login_not_approved
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
{ error: I18n.t("login.not_approved") }
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
end
def not_activated(user)
FIX: Store user's id instead for sending activation email. * Email and username are both allowed to be used for logging in. Therefore, it is easier to just store the user's id rather than to store the username and email in the session.
2017-03-13 08:20:25 -04:00
session[ACTIVATE_USER_KEY] = user.id
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
render json: {
error: I18n.t("login.not_activated"),
reason: 'not_activated',
sent_to_email: user.find_email || user.email,
current_email: user.email
}
end
FEATURE: restrict admin access based on IP address
2014-09-04 18:50:27 -04:00
def not_allowed_from_ip_address(user)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
{ error: I18n.t("login.not_allowed_from_ip_address", username: user.username) }
FEATURE: restrict admin access based on IP address
2014-09-04 18:50:27 -04:00
end
UX: improve message when admin login is blocked because of admin ip address whitelisting
2015-03-02 12:13:10 -05:00
def admin_not_allowed_from_ip_address(user)
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
{ error: I18n.t("login.admin_not_allowed_from_ip_address", username: user.username) }
UX: improve message when admin login is blocked because of admin ip address whitelisting
2015-03-02 12:13:10 -05:00
end
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
def failed_to_login(user)
message = user.suspend_reason ? "login.suspended_with_reason" : "login.suspended"
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
{
error: I18n.t(message,
date: I18n.l(user.suspended_till, format: :date_only),
reason: Rack::Utils.escape_html(user.suspend_reason)
),
FEATURE: show a new modal when suspended users try to log in
2016-02-19 12:19:20 -05:00
reason: 'suspended'
}
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
end
def login(user)
SECURITY: Only allow users to resend activation email with a valid session. * Improve error when an active user tries to request for an activation email.
2017-03-13 07:19:42 -04:00
session.delete(ACTIVATE_USER_KEY)
FEATURE: Add timezone to core user_options (#8380) * Add timezone to user_options table * Also migrate existing timezone values from UserCustomField, which is where the discourse-calendar plugin is storing them * Allow user to change their core timezone from Profile * Auto guess & set timezone on login & invite accept & signup * Serialize user_options.timezone for group members. this is so discourse-group-timezones can access the core user timezone, as it is being removed in discourse-calendar. * Annotate user_option with timezone * Validate timezone values
2019-11-24 19:49:27 -05:00
user.update_timezone_if_missing(params[:timezone])
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
log_on_user(user)
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
FIX: redirect users after signing up using SSO provider
2018-05-11 18:41:27 -04:00
if payload = cookies.delete(:sso_payload)
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
sso_provider(payload)
Fix all the errors to get our tests green on Rails 5.1.
2017-08-31 00:06:56 -04:00
else
render_serialized(user, UserSerializer)
FEATURE: implement SSO provider on Discourse so Auth can be farmed to it FEATURE: pass return_sso_url to SSO endpoints, for easier return
2014-11-26 01:25:54 -05:00
end
Refactor SessionController#create, reduce complexity. Don't compromise readablity
2013-11-15 10:27:43 -05:00
end
FEATURE: login by a link from email Co-authored-by: tgxworld <tgx@discourse.org>
2017-04-20 11:17:24 -04:00
def rate_limit_login
RateLimiter.new(
nil,
"login-hr-#{request.remote_ip}",
SiteSetting.max_logins_per_ip_per_hour,
1.hour
).performed!
RateLimiter.new(
nil,
"login-min-#{request.remote_ip}",
SiteSetting.max_logins_per_ip_per_minute,
1.minute
).performed!
end
Render a layout when there's an SSO error
2017-03-21 14:04:25 -04:00
def render_sso_error(status:, text:)
@sso_error = text
render status: status, layout: 'no_ember'
end
DEV: Add extension point to allow modifying SSO URL (#7937) This allows plugins to, for example, add extra query params to the SSO URL when discourse redirects to to the SSO website.
2019-07-24 17:18:27 -04:00
# extension to allow plugins to customize the SSO URL
def sso_url(sso)
sso.to_url
end
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
# the invite_key will be present if set in InvitesController
# when the user visits an /invites/xxxx link; however we do
# not want to complete the SSO process of creating a user
# and redeeming the invite if the invite is not redeemable or
# for the wrong user
def validate_invitiation!(sso)
invite_key = secure_session["invite-key"]
return if invite_key.blank?
invite = Invite.find_by(invite_key: invite_key)
if invite.blank?
raise Invite::ValidationFailed.new(I18n.t("invite.not_found", base_url: Discourse.base_url))
end
if invite.redeemable?
if !invite.is_invite_link? && sso.email != invite.email
raise Invite::ValidationFailed.new(I18n.t("invite.not_matching_email"))
end
elsif invite.expired?
raise Invite::ValidationFailed.new(I18n.t('invite.expired', base_url: Discourse.base_url))
elsif invite.redeemed?
raise Invite::ValidationFailed.new(I18n.t('invite.not_found_template', site_name: SiteSetting.title, base_url: Discourse.base_url))
end
invite
end
def redeem_invitation(invite, sso)
InviteRedeemer.new(
invite: invite,
username: sso.username,
name: sso.name,
ip_address: request.remote_ip,
session: session,
email: sso.email
).redeem
secure_session["invite-key"] = nil
# note - more specific errors are handled in the sso_login method
rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved => e
Rails.logger.warn("SSO invite redemption failed: #{e}")
raise Invite::RedemptionFailed
end
Initial release of Discourse
2013-02-05 14:16:51 -05:00
end