discourse/lib/auth/open_id_authenticator.rb

class Auth::OpenIdAuthenticator < Auth::Authenticator

  attr_reader :name, :identifier

  def initialize(name, identifier, enabled_site_setting, opts = {})
    @name = name
    @identifier = identifier
    @enabled_site_setting = enabled_site_setting
    @opts = opts
  end

  def enabled?
    SiteSetting.send(@enabled_site_setting)
  end

  def description_for_user(user)
    info = UserOpenId.where("url LIKE ?", "#{@identifier}%").find_by(user_id: user.id)
    info&.email || ""
  end

  def can_revoke?
    true
  end

  def revoke(user, skip_remote: false)
    info = UserOpenId.where("url LIKE ?", "#{@identifier}%").find_by(user_id: user.id)
    raise Discourse::NotFound if info.nil?

    info.destroy!
    true
  end

  def can_connect_existing_user?
    true
  end

  def after_authenticate(auth_token, existing_account: nil)
    Discourse.deprecate("OpenID Authentication has been deprecated, please migrate to OAuth2 or OpenID Connect", since: "2.3.0beta4", drop_from: "2.4")
    result = Auth::Result.new

    data = auth_token[:info]
    identity_url = auth_token[:extra][:response].identity_url
    result.email = email = data[:email]

    raise Discourse::InvalidParameters.new(:email) if email.blank?

    # If the auth supplies a name / username, use those. Otherwise start with email.
    result.name = data[:name] || data[:email]
    result.username = data[:nickname] || data[:email]

    user_open_id = UserOpenId.find_by_url(identity_url)

    if existing_account && (user_open_id.nil? || existing_account.id != user_open_id.user_id)
      user_open_id.destroy! if user_open_id
      user_open_id = UserOpenId.create!(url: identity_url , user_id: existing_account.id, email: email, active: true)
    end

    if !user_open_id && @opts[:trusted] && user = User.find_by_email(email)
      user_open_id = UserOpenId.create(url: identity_url , user_id: user.id, email: email, active: true)
    end

    result.user = user_open_id.try(:user)
    result.extra_data = {
      openid_url: identity_url,
      # note email may change by the time after_create_account runs
      email: email
    }

    result.email_valid = @opts[:trusted]

    result
  end

  def after_create_account(user, auth)
    data = auth[:extra_data]
    UserOpenId.create(
      user_id: user.id,
      url: data[:openid_url],
      email: data[:email],
      active: true
    )
  end

  def register_middleware(omniauth)
    omniauth.provider :open_id,
         setup: lambda { |env|
           strategy = env["omniauth.strategy"]
           strategy.options[:store] = OpenID::Store::Redis.new($redis)

           # Add CSRF protection in addition to OpenID Specification
           def strategy.query_string
             session["omniauth.state"] = state = SecureRandom.hex(24)
             "?state=#{state}"
           end

           def strategy.callback_phase
             stored_state = session.delete("omniauth.state")
             provided_state = request.params["state"]
             return fail!(:invalid_credentials) unless provided_state == stored_state
             super
           end
         },
         name: name,
         identifier: identifier,
         require: "omniauth-openid"
  end
end
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`class Auth::OpenIdAuthenticator < Auth::Authenticator`

Fixed all broken specs Moved middleware config into authenticators 2013-08-25 21:04:16 -04:00			`attr_reader :name, :identifier`

FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`def initialize(name, identifier, enabled_site_setting, opts = {})`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`@name = name`
Fixed all broken specs Moved middleware config into authenticators 2013-08-25 21:04:16 -04:00			`@identifier = identifier`
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`@enabled_site_setting = enabled_site_setting`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`@opts = opts`
			`end`

FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`def enabled?`
			`SiteSetting.send(@enabled_site_setting)`
			`end`

			`def description_for_user(user)`
FIX: Filter open-id logins by identifier 2018-07-25 06:47:09 -04:00			`info = UserOpenId.where("url LIKE ?", "#{@identifier}%").find_by(user_id: user.id)`
FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`info&.email \|\| ""`
			`end`

FEATURE: Revoke and connect for Yahoo logins 2018-07-27 11:20:47 -04:00			`def can_revoke?`
			`true`
			`end`

			`def revoke(user, skip_remote: false)`
			`info = UserOpenId.where("url LIKE ?", "#{@identifier}%").find_by(user_id: user.id)`
			`raise Discourse::NotFound if info.nil?`

			`info.destroy!`
			`true`
			`end`

			`def can_connect_existing_user?`
			`true`
			`end`

			`def after_authenticate(auth_token, existing_account: nil)`
Remove Yahoo login support from core and deprecate OpenID2.0 (#7310) - Plugin developers using OpenID2.0 should migrate to OAuth2 or OIDC. OpenID2.0 APIs will be removed in v2.4.0 - For sites requiring Yahoo login, it can be implemented using the OpenID Connect plugin: https://meta.discourse.org/t/103632 For more information, see https://meta.discourse.org/t/113249 2019-04-08 05:38:25 -04:00			`Discourse.deprecate("OpenID Authentication has been deprecated, please migrate to OAuth2 or OpenID Connect", since: "2.3.0beta4", drop_from: "2.4")`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`result = Auth::Result.new`

			`data = auth_token[:info]`
BUGFIX: identity_url was not fished out correctly If I user logged in with Google and then changed email, they would no longer be able to log in with google 2014-03-25 23:52:50 -04:00			`identity_url = auth_token[:extra][:response].identity_url`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`result.email = email = data[:email]`

FEATURE: raise an exception when the email is missing in the OpenId callback 2014-08-07 13:28:50 -04:00			`raise Discourse::InvalidParameters.new(:email) if email.blank?`

major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`# If the auth supplies a name / username, use those. Otherwise start with email.`
BUGFIX: identity_url was not fished out correctly If I user logged in with Google and then changed email, they would no longer be able to log in with google 2014-03-25 23:52:50 -04:00			`result.name = data[:name] \|\| data[:email]`
			`result.username = data[:nickname] \|\| data[:email]`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00
			`user_open_id = UserOpenId.find_by_url(identity_url)`

FEATURE: Revoke and connect for Yahoo logins 2018-07-27 11:20:47 -04:00			`if existing_account && (user_open_id.nil? \|\| existing_account.id != user_open_id.user_id)`
			`user_open_id.destroy! if user_open_id`
			`user_open_id = UserOpenId.create!(url: identity_url , user_id: existing_account.id, email: email, active: true)`
			`end`

major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`if !user_open_id && @opts[:trusted] && user = User.find_by_email(email)`
			`user_open_id = UserOpenId.create(url: identity_url , user_id: user.id, email: email, active: true)`
			`end`

			`result.user = user_open_id.try(:user)`
			`result.extra_data = {`
fix open id so it creates records properly 2013-08-23 03:00:01 -04:00			`openid_url: identity_url,`
			`# note email may change by the time after_create_account runs`
			`email: email`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`}`
BUGFIX: identity_url was not fished out correctly If I user logged in with Google and then changed email, they would no longer be able to log in with google 2014-03-25 23:52:50 -04:00
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`result.email_valid = @opts[:trusted]`

			`result`
			`end`
fix open id so it creates records properly 2013-08-23 03:00:01 -04:00
			`def after_create_account(user, auth)`
			`data = auth[:extra_data]`
			`UserOpenId.create(`
			`user_id: user.id,`
			`url: data[:openid_url],`
			`email: data[:email],`
			`active: true`
			`)`
			`end`
Fixed all broken specs Moved middleware config into authenticators 2013-08-25 21:04:16 -04:00
			`def register_middleware(omniauth)`
			`omniauth.provider :open_id,`
SECURITY: Add CSRF protections to OpenID callback 2018-11-02 19:49:00 -04:00			`setup: lambda { \|env\|`
			`strategy = env["omniauth.strategy"]`
			`strategy.options[:store] = OpenID::Store::Redis.new($redis)`

			`# Add CSRF protection in addition to OpenID Specification`
			`def strategy.query_string`
DEV: Fix build. 2018-11-05 07:16:03 -05:00			`session["omniauth.state"] = state = SecureRandom.hex(24)`
SECURITY: Add CSRF protections to OpenID callback 2018-11-02 19:49:00 -04:00			`"?state=#{state}"`
			`end`

			`def strategy.callback_phase`
			`stored_state = session.delete("omniauth.state")`
			`provided_state = request.params["state"]`
			`return fail!(:invalid_credentials) unless provided_state == stored_state`
			`super`
			`end`
			`},`
			`name: name,`
			`identifier: identifier,`
			`require: "omniauth-openid"`
Fixed all broken specs Moved middleware config into authenticators 2013-08-25 21:04:16 -04:00			`end`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`end`