discourse/lib/auth/github_authenticator.rb

# frozen_string_literal: true

require 'has_errors'

class Auth::GithubAuthenticator < Auth::ManagedAuthenticator

  def name
    "github"
  end

  def enabled?
    SiteSetting.enable_github_logins
  end

  def after_authenticate(auth_token, existing_account: nil)
    result = super
    return result if result.user
    # If email domain restrictions are configured,
    # pick a secondary email which is allowed
    all_github_emails(auth_token).each do |candidate|
      next if !EmailValidator.allowed?(candidate[:email])
      result.email = candidate[:email]
      result.email_valid = !!candidate[:verified]
      break
    end

    result
  end

  def find_user_by_email(auth_token)
    # Use verified secondary emails to find a match
    all_github_emails(auth_token).each do |candidate|
      next if !candidate[:verified]
      if user = User.find_by_email(candidate[:email])
        return user
      end
    end
    nil
  end

  def all_github_emails(auth_token)
    emails = Array.new(auth_token[:extra][:all_emails])
    primary_email = emails.find { |email| email[:primary] }
    if primary_email
      emails.delete(primary_email)
      emails.unshift(primary_email)
    end
    emails
  end

  def register_middleware(omniauth)
    omniauth.provider :github,
           setup: lambda { |env|
             strategy = env["omniauth.strategy"]
              strategy.options[:client_id] = SiteSetting.github_client_id
              strategy.options[:client_secret] = SiteSetting.github_client_secret
           },
           scope: "user:email"
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4. 2022-03-21 10:28:52 -04:00			`require 'has_errors'`
Add support for email whitelist/blacklist to GitHub auth If a site is configured for GitHub logins, _and_ has an email domain whitelist, it's possible to get in a state where a new user is locked to a non-whitelist email (their GitHub primary) even though they have an alternate email that's on the whitelist. In all cases, the GitHub primary email is attempted first so that previously existing behavior will be the default. - Add whitelist/blacklist support to GithubAuthenticator (via EmailValidator) - Add multiple email support GithubAuthenticator - Add test specs for GithubAuthenticator - Add authenticator-agnostic "none of your email addresses are allowed" error message. 2016-09-22 14:31:10 -04:00
DEV: Migrate Github authentication to ManagedAuthenticator (#11170) This commit adds an additional find_user_by_email hook to ManagedAuthenticator so that GitHub login can continue to support secondary email addresses The github_user_infos table will be dropped in a follow-up commit. This is the last core authenticator to be migrated to ManagedAuthenticator 🎉 2020-11-10 05:09:15 -05:00			`class Auth::GithubAuthenticator < Auth::ManagedAuthenticator`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00
			`def name`
			`"github"`
			`end`

FEATURE: List, revoke and reconnect associated accounts. Phase 1 (#6099) Listing connections is supported for all built-in auth providers. Revoke and reconnect is currently only implemented for Facebook. 2018-07-23 11:51:57 -04:00			`def enabled?`
			`SiteSetting.enable_github_logins`
			`end`

FEATURE: Allow revoke and connect for GitHub logins 2018-07-27 12:18:53 -04:00			`def after_authenticate(auth_token, existing_account: nil)`
DEV: Migrate Github authentication to ManagedAuthenticator (#11170) This commit adds an additional find_user_by_email hook to ManagedAuthenticator so that GitHub login can continue to support secondary email addresses The github_user_infos table will be dropped in a follow-up commit. This is the last core authenticator to be migrated to ManagedAuthenticator 🎉 2020-11-10 05:09:15 -05:00			`result = super`
			`return result if result.user`
			`# If email domain restrictions are configured,`
			`# pick a secondary email which is allowed`
			`all_github_emails(auth_token).each do \|candidate\|`
			`next if !EmailValidator.allowed?(candidate[:email])`
			`result.email = candidate[:email]`
			`result.email_valid = !!candidate[:verified]`
			`break`
FEATURE: Allow revoke and connect for GitHub logins 2018-07-27 12:18:53 -04:00			`end`

DEV: Migrate Github authentication to ManagedAuthenticator (#11170) This commit adds an additional find_user_by_email hook to ManagedAuthenticator so that GitHub login can continue to support secondary email addresses The github_user_infos table will be dropped in a follow-up commit. This is the last core authenticator to be migrated to ManagedAuthenticator 🎉 2020-11-10 05:09:15 -05:00			`result`
			`end`
Add support for email whitelist/blacklist to GitHub auth If a site is configured for GitHub logins, _and_ has an email domain whitelist, it's possible to get in a state where a new user is locked to a non-whitelist email (their GitHub primary) even though they have an alternate email that's on the whitelist. In all cases, the GitHub primary email is attempted first so that previously existing behavior will be the default. - Add whitelist/blacklist support to GithubAuthenticator (via EmailValidator) - Add multiple email support GithubAuthenticator - Add test specs for GithubAuthenticator - Add authenticator-agnostic "none of your email addresses are allowed" error message. 2016-09-22 14:31:10 -04:00
DEV: Migrate Github authentication to ManagedAuthenticator (#11170) This commit adds an additional find_user_by_email hook to ManagedAuthenticator so that GitHub login can continue to support secondary email addresses The github_user_infos table will be dropped in a follow-up commit. This is the last core authenticator to be migrated to ManagedAuthenticator 🎉 2020-11-10 05:09:15 -05:00			`def find_user_by_email(auth_token)`
			`# Use verified secondary emails to find a match`
			`all_github_emails(auth_token).each do \|candidate\|`
			`next if !candidate[:verified]`
			`if user = User.find_by_email(candidate[:email])`
			`return user`
Add support for email whitelist/blacklist to GitHub auth If a site is configured for GitHub logins, _and_ has an email domain whitelist, it's possible to get in a state where a new user is locked to a non-whitelist email (their GitHub primary) even though they have an alternate email that's on the whitelist. In all cases, the GitHub primary email is attempted first so that previously existing behavior will be the default. - Add whitelist/blacklist support to GithubAuthenticator (via EmailValidator) - Add multiple email support GithubAuthenticator - Add test specs for GithubAuthenticator - Add authenticator-agnostic "none of your email addresses are allowed" error message. 2016-09-22 14:31:10 -04:00			`end`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`end`
DEV: Migrate Github authentication to ManagedAuthenticator (#11170) This commit adds an additional find_user_by_email hook to ManagedAuthenticator so that GitHub login can continue to support secondary email addresses The github_user_infos table will be dropped in a follow-up commit. This is the last core authenticator to be migrated to ManagedAuthenticator 🎉 2020-11-10 05:09:15 -05:00			`nil`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`end`

DEV: Migrate Github authentication to ManagedAuthenticator (#11170) This commit adds an additional find_user_by_email hook to ManagedAuthenticator so that GitHub login can continue to support secondary email addresses The github_user_infos table will be dropped in a follow-up commit. This is the last core authenticator to be migrated to ManagedAuthenticator 🎉 2020-11-10 05:09:15 -05:00			`def all_github_emails(auth_token)`
			`emails = Array.new(auth_token[:extra][:all_emails])`
			`primary_email = emails.find { \|email\| email[:primary] }`
			`if primary_email`
			`emails.delete(primary_email)`
			`emails.unshift(primary_email)`
			`end`
			`emails`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`end`
Fixed all broken specs Moved middleware config into authenticators 2013-08-25 21:04:16 -04:00
			`def register_middleware(omniauth)`
			`omniauth.provider :github,`
			`setup: lambda { \|env\|`
			`strategy = env["omniauth.strategy"]`
			`strategy.options[:client_id] = SiteSetting.github_client_id`
			`strategy.options[:client_secret] = SiteSetting.github_client_secret`
			`},`
			`scope: "user:email"`
			`end`
major refactor of auth, break up the gigantic omniauth controller into sub classes for way better extensibitily 2013-08-23 02:20:43 -04:00			`end`