discourse/lib/auth/google_oauth2_authenticator.rb

# frozen_string_literal: true

class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
  def name
    "google_oauth2"
  end

  def enabled?
    SiteSetting.enable_google_oauth2_logins
  end

  def primary_email_verified?(auth_token)
    # note, emails that come back from google via omniauth are always valid
    # this protects against future regressions
    auth_token[:extra][:raw_info][:email_verified]
  end

  def register_middleware(omniauth)
    strategy_class = Auth::OmniAuthStrategies::DiscourseGoogleOauth2
    options = {
      setup: lambda { |env|
        strategy = env["omniauth.strategy"]
        strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
        strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret

        if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?
          strategy.options[:hd] = google_oauth2_hd
        end

        if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
          strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ")
        end

        # All the data we need for the `info` and `credentials` auth hash
        # are obtained via the user info API, not the JWT. Using and verifying
        # the JWT can fail due to clock skew, so let's skip it completely.
        # https://github.com/zquestz/omniauth-google-oauth2/pull/392
        strategy.options[:skip_jwt] = true
        strategy.options[:request_groups] = provides_groups?

        if provides_groups?
          strategy.options[:scope] = "#{strategy_class::DEFAULT_SCOPE},#{strategy_class::GROUPS_SCOPE}"
        end
      }
    }
    omniauth.provider strategy_class, options
  end

  def after_authenticate(auth_token, existing_account: nil)
    result = super
    if provides_groups? && (groups = auth_token[:extra][:raw_groups])
      result.associated_groups = groups.map { |group| group.slice(:id, :name) }
    end
    result
  end

  def provides_groups?
    SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator (#7120) https://meta.discourse.org/t/future-social-authentication-improvements/94691/3 2019-03-07 06:31:04 -05:00			`class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`def name`
			`"google_oauth2"`
			`end`

FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`def enabled?`
			`SiteSetting.enable_google_oauth2_logins`
			`end`

REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator (#7120) https://meta.discourse.org/t/future-social-authentication-improvements/94691/3 2019-03-07 06:31:04 -05:00			`def primary_email_verified?(auth_token)`
			`# note, emails that come back from google via omniauth are always valid`
			`# this protects against future regressions`
			`auth_token[:extra][:raw_info][:email_verified]`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`

			`def register_middleware(omniauth)`
FEATURE: Experimental support for group membership via google auth (#14835) This commit introduces a new site setting "google_oauth2_hd_groups". If enabled, group information will be fetched from Google during authentication, and stored in the Discourse database. These 'associated groups' can be connected to a Discourse group via the "Membership" tab of the group preferences UI. The majority of the implementation is generic, so we will be able to add support to more authentication methods in the near future. https://meta.discourse.org/t/managing-group-membership-via-authentication/175950 2021-12-09 07:30:27 -05:00			`strategy_class = Auth::OmniAuthStrategies::DiscourseGoogleOauth2`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`options = {`
			`setup: lambda { \|env\|`
			`strategy = env["omniauth.strategy"]`
FIX: Google `HD` and `Prompt` settings should be checked at runtime Previously a server restart was required after settings changes, and it did not work in multisite environments 2019-01-31 05:05:25 -05:00			`strategy.options[:client_id] = SiteSetting.google_oauth2_client_id`
			`strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret`

			`if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?`
			`strategy.options[:hd] = google_oauth2_hd`
			`end`

			`if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?`
			`strategy.options[:prompt] = google_oauth2_prompt.gsub("\|", " ")`
			`end`
FIX: Avoid clock skew issues when logging in with Google (#11442) All the data we need for the `info` and `credentials` auth hash are obtained via the user info API, not the JWT. Using and verifying the JWT can fail due to clock skew, so let's skip it completely. PR opened to fix the upstream issue at https://github.com/zquestz/omniauth-google-oauth2/pull/392 2020-12-09 04:09:31 -05:00
			# All the data we need for the `info` and `credentials` auth hash
			`# are obtained via the user info API, not the JWT. Using and verifying`
			`# the JWT can fail due to clock skew, so let's skip it completely.`
			`# https://github.com/zquestz/omniauth-google-oauth2/pull/392`
			`strategy.options[:skip_jwt] = true`
FEATURE: Experimental support for group membership via google auth (#14835) This commit introduces a new site setting "google_oauth2_hd_groups". If enabled, group information will be fetched from Google during authentication, and stored in the Discourse database. These 'associated groups' can be connected to a Discourse group via the "Membership" tab of the group preferences UI. The majority of the implementation is generic, so we will be able to add support to more authentication methods in the near future. https://meta.discourse.org/t/managing-group-membership-via-authentication/175950 2021-12-09 07:30:27 -05:00			`strategy.options[:request_groups] = provides_groups?`

			`if provides_groups?`
			`strategy.options[:scope] = "#{strategy_class::DEFAULT_SCOPE},#{strategy_class::GROUPS_SCOPE}"`
			`end`
REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator (#7120) https://meta.discourse.org/t/future-social-authentication-improvements/94691/3 2019-03-07 06:31:04 -05:00			`}`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`}`
FEATURE: Experimental support for group membership via google auth (#14835) This commit introduces a new site setting "google_oauth2_hd_groups". If enabled, group information will be fetched from Google during authentication, and stored in the Discourse database. These 'associated groups' can be connected to a Discourse group via the "Membership" tab of the group preferences UI. The majority of the implementation is generic, so we will be able to add support to more authentication methods in the near future. https://meta.discourse.org/t/managing-group-membership-via-authentication/175950 2021-12-09 07:30:27 -05:00			`omniauth.provider strategy_class, options`
			`end`

			`def after_authenticate(auth_token, existing_account: nil)`
			`result = super`
			`if provides_groups? && (groups = auth_token[:extra][:raw_groups])`
			`result.associated_groups = groups.map { \|group\| group.slice(:id, :name) }`
			`end`
			`result`
			`end`

			`def provides_groups?`
			`SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`
Don't blow up if Redis switches to READONLY 2015-04-24 13:10:43 -04:00			`end`