discourse/lib/auth/google_oauth2_authenticator.rb

# frozen_string_literal: true

class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator
  def name
    "google_oauth2"
  end

  def enabled?
    SiteSetting.enable_google_oauth2_logins
  end

  def primary_email_verified?(auth_token)
    # note, emails that come back from google via omniauth are always valid
    # this protects against future regressions
    auth_token[:extra][:raw_info][:email_verified]
  end

  def register_middleware(omniauth)
    options = {
      setup: lambda { |env|
        strategy = env["omniauth.strategy"]
        strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
        strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret

        if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?
          strategy.options[:hd] = google_oauth2_hd
        end

        if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
          strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ")
        end

        # All the data we need for the `info` and `credentials` auth hash
        # are obtained via the user info API, not the JWT. Using and verifying
        # the JWT can fail due to clock skew, so let's skip it completely.
        # https://github.com/zquestz/omniauth-google-oauth2/pull/392
        strategy.options[:skip_jwt] = true
      }
    }
    omniauth.provider :google_oauth2, options
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator (#7120) https://meta.discourse.org/t/future-social-authentication-improvements/94691/3 2019-03-07 06:31:04 -05:00			`class Auth::GoogleOAuth2Authenticator < Auth::ManagedAuthenticator`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`def name`
			`"google_oauth2"`
			`end`

FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`def enabled?`
			`SiteSetting.enable_google_oauth2_logins`
			`end`

REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator (#7120) https://meta.discourse.org/t/future-social-authentication-improvements/94691/3 2019-03-07 06:31:04 -05:00			`def primary_email_verified?(auth_token)`
			`# note, emails that come back from google via omniauth are always valid`
			`# this protects against future regressions`
			`auth_token[:extra][:raw_info][:email_verified]`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`

			`def register_middleware(omniauth)`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`options = {`
			`setup: lambda { \|env\|`
			`strategy = env["omniauth.strategy"]`
FIX: Google `HD` and `Prompt` settings should be checked at runtime Previously a server restart was required after settings changes, and it did not work in multisite environments 2019-01-31 05:05:25 -05:00			`strategy.options[:client_id] = SiteSetting.google_oauth2_client_id`
			`strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret`

			`if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?`
			`strategy.options[:hd] = google_oauth2_hd`
			`end`

			`if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?`
			`strategy.options[:prompt] = google_oauth2_prompt.gsub("\|", " ")`
			`end`
FIX: Avoid clock skew issues when logging in with Google (#11442) All the data we need for the `info` and `credentials` auth hash are obtained via the user info API, not the JWT. Using and verifying the JWT can fail due to clock skew, so let's skip it completely. PR opened to fix the upstream issue at https://github.com/zquestz/omniauth-google-oauth2/pull/392 2020-12-09 04:09:31 -05:00
			# All the data we need for the `info` and `credentials` auth hash
			`# are obtained via the user info API, not the JWT. Using and verifying`
			`# the JWT can fail due to clock skew, so let's skip it completely.`
			`# https://github.com/zquestz/omniauth-google-oauth2/pull/392`
			`strategy.options[:skip_jwt] = true`
REFACTOR: Migrate GoogleOAuth2Authenticator to use ManagedAuthenticator (#7120) https://meta.discourse.org/t/future-social-authentication-improvements/94691/3 2019-03-07 06:31:04 -05:00			`}`
Take 2 on https://github.com/discourse/discourse/commit/f74d6bb605f0395f4cba5e69d3c32206ca7c39a8. New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone. 2018-02-22 18:19:36 -05:00			`}`
			`omniauth.provider :google_oauth2, options`
Add Google Oauth2 authenticator. The current Google OpenID authentication has been deprecated by Google and will NOT work for any new websites. 2014-05-21 18:19:40 -04:00			`end`
Don't blow up if Redis switches to READONLY 2015-04-24 13:10:43 -04:00			`end`