discourse/lib/auth/google_oauth2_authenticator.rb

class Auth::GoogleOAuth2Authenticator < Auth::Authenticator

  def name
    "google_oauth2"
  end

  def enabled?
    SiteSetting.enable_google_oauth2_logins
  end

  def description_for_user(user)
    info = GoogleUserInfo.find_by(user_id: user.id)
    info&.email || info&.name || ""
  end

  def can_revoke?
    true
  end

  def revoke(user, skip_remote: false)
    info = GoogleUserInfo.find_by(user_id: user.id)
    raise Discourse::NotFound if info.nil?

    # We get a temporary token from google upon login but do not need it, and do not store it.
    # Therefore we do not have any way to revoke the token automatically on google's end

    info.destroy!
    true
  end

  def can_connect_existing_user?
    true
  end

  def after_authenticate(auth_hash, existing_account: nil)
    session_info = parse_hash(auth_hash)
    google_hash = session_info[:google]

    result = ::Auth::Result.new
    result.email = session_info[:email]
    result.email_valid = session_info[:email_valid]
    result.name = session_info[:name]

    result.extra_data = google_hash

    user_info = ::GoogleUserInfo.find_by(google_user_id: google_hash[:google_user_id])

    if existing_account && (user_info.nil? || existing_account.id != user_info.user_id)
      user_info.destroy! if user_info
      result.user = existing_account
      user_info = GoogleUserInfo.create!({ user_id: result.user.id }.merge(google_hash))
    else
      result.user = user_info&.user
    end

    if !result.user && !result.email.blank? && result.email_valid
      result.user = User.find_by_email(result.email)
      if result.user
        # we've matched an existing user to this login attempt...
        if result.user.google_user_info && result.user.google_user_info.google_user_id != google_hash[:google_user_id]
          # but the user has changed the google account used to log in...
          if result.user.google_user_info.email != google_hash[:email]
            # the user changed their email, go ahead and scrub the old record
            result.user.google_user_info.destroy!
          else
            # same email address but different account? likely a takeover scenario
            result.failed = true
            result.failed_reason = I18n.t('errors.conflicting_google_user_id')
            return result
          end
        end
        ::GoogleUserInfo.create({ user_id: result.user.id }.merge(google_hash))
      end
    end

    result
  end

  def after_create_account(user, auth)
    data = auth[:extra_data]
    GoogleUserInfo.create({ user_id: user.id }.merge(data))
  end

  def register_middleware(omniauth)
    options = {
      setup: lambda { |env|
        strategy = env["omniauth.strategy"]
        strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
        strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret

        if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?
          strategy.options[:hd] = google_oauth2_hd
        end

        if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
          strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ")
        end
      },
      skip_jwt: true
    }
    # jwt encoding is causing auth to fail in quite a few conditions
    # skipping
    omniauth.provider :google_oauth2, options
  end

  protected

  def parse_hash(hash)
    extra = hash[:extra][:raw_info]

    h = {}

    h[:email] = hash[:info][:email]
    h[:name] = hash[:info][:name]
    h[:email_valid] = extra[:email_verified]

    h[:google] = {
      google_user_id: hash[:uid] || extra[:sub],
      email: extra[:email],
      first_name: extra[:given_name],
      last_name: extra[:family_name],
      gender: extra[:gender],
      name: extra[:name],
      link: extra[:hd],
      profile_link: extra[:profile],
      picture: extra[:picture]
    }

    h
  end
end
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`class Auth::GoogleOAuth2Authenticator < Auth::Authenticator`

			`def name`
			`"google_oauth2"`
			`end`

FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`def enabled?`
			`SiteSetting.enable_google_oauth2_logins`
			`end`

			`def description_for_user(user)`
			`info = GoogleUserInfo.find_by(user_id: user.id)`
			`info&.email \|\| info&.name \|\| ""`
			`end`

FEATURE: Add revoke and reconnect functionality for google logins 2018-07-25 11:03:14 -04:00			`def can_revoke?`
			`true`
			`end`

			`def revoke(user, skip_remote: false)`
			`info = GoogleUserInfo.find_by(user_id: user.id)`
			`raise Discourse::NotFound if info.nil?`

			`# We get a temporary token from google upon login but do not need it, and do not store it.`
			`# Therefore we do not have any way to revoke the token automatically on google's end`

			`info.destroy!`
			`true`
			`end`

			`def can_connect_existing_user?`
			`true`
			`end`

			`def after_authenticate(auth_hash, existing_account: nil)`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`session_info = parse_hash(auth_hash)`
			`google_hash = session_info[:google]`

add some explicit scoping to help avoid erratic failure in test 2017-03-07 16:00:51 -05:00			`result = ::Auth::Result.new`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`result.email = session_info[:email]`
			`result.email_valid = session_info[:email_valid]`
			`result.name = session_info[:name]`

			`result.extra_data = google_hash`

add some explicit scoping to help avoid erratic failure in test 2017-03-07 16:00:51 -05:00			`user_info = ::GoogleUserInfo.find_by(google_user_id: google_hash[:google_user_id])`
FEATURE: Add revoke and reconnect functionality for google logins 2018-07-25 11:03:14 -04:00
			`if existing_account && (user_info.nil? \|\| existing_account.id != user_info.user_id)`
			`user_info.destroy! if user_info`
			`result.user = existing_account`
			`user_info = GoogleUserInfo.create!({ user_id: result.user.id }.merge(google_hash))`
			`else`
			`result.user = user_info&.user`
			`end`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00
FIX: protect against future regressions of google omniauth 2016-11-06 20:48:00 -05:00			`if !result.user && !result.email.blank? && result.email_valid`
			`result.user = User.find_by_email(result.email)`
			`if result.user`
Implements https://meta.discourse.org/t/issue-user-changed-google-account-and-cant-connect-thru-his-profile/35028/18?u=supermathie 2017-12-20 13:03:32 -05:00			`# we've matched an existing user to this login attempt...`
			`if result.user.google_user_info && result.user.google_user_info.google_user_id != google_hash[:google_user_id]`
			`# but the user has changed the google account used to log in...`
			`if result.user.google_user_info.email != google_hash[:email]`
			`# the user changed their email, go ahead and scrub the old record`
			`result.user.google_user_info.destroy!`
			`else`
			`# same email address but different account? likely a takeover scenario`
			`result.failed = true`
			`result.failed_reason = I18n.t('errors.conflicting_google_user_id')`
			`return result`
			`end`
			`end`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`::GoogleUserInfo.create({ user_id: result.user.id }.merge(google_hash))`
FIX: protect against future regressions of google omniauth 2016-11-06 20:48:00 -05:00			`end`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`

			`result`
			`end`

			`def after_create_account(user, auth)`
			`data = auth[:extra_data]`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`GoogleUserInfo.create({ user_id: user.id }.merge(data))`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`

			`def register_middleware(omniauth)`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`options = {`
			`setup: lambda { \|env\|`
			`strategy = env["omniauth.strategy"]`
FIX: Google `HD` and `Prompt` settings should be checked at runtime Previously a server restart was required after settings changes, and it did not work in multisite environments 2019-01-31 05:05:25 -05:00			`strategy.options[:client_id] = SiteSetting.google_oauth2_client_id`
			`strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret`

			`if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?`
			`strategy.options[:hd] = google_oauth2_hd`
			`end`

			`if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?`
			`strategy.options[:prompt] = google_oauth2_prompt.gsub("\|", " ")`
			`end`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`},`
			`skip_jwt: true`
			`}`
FIX: skip jwt encoding for auth 2016-02-04 16:48:16 -05:00			`# jwt encoding is causing auth to fail in quite a few conditions`
			`# skipping`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`omniauth.provider :google_oauth2, options`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`

			`protected`

			`def parse_hash(hash)`
			`extra = hash[:extra][:raw_info]`

			`h = {}`

			`h[:email] = hash[:info][:email]`
			`h[:name] = hash[:info][:name]`
FIX: Don't mark user as `active` if verified email is different. 2017-02-28 22:58:24 -05:00			`h[:email_valid] = extra[:email_verified]`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00
			`h[:google] = {`
			`google_user_id: hash[:uid] \|\| extra[:sub],`
			`email: extra[:email],`
			`first_name: extra[:given_name],`
			`last_name: extra[:family_name],`
			`gender: extra[:gender],`
			`name: extra[:name],`
			`link: extra[:hd],`
			`profile_link: extra[:profile],`
			`picture: extra[:picture]`
			`}`

			`h`
			`end`
Don't blow up if Redis switches to READONLY 2015-04-24 13:10:43 -04:00			`end`