SECURITY: Ensure oAuth authenticated email is the same as created user's email.

This commit is contained in:
Guo Xiang Tan 2017-02-24 13:13:10 +08:00
parent 0847b4258a
commit 1060239e2d
3 changed files with 42 additions and 1 deletions

View File

@ -21,7 +21,10 @@ class UserAuthenticator
end
def finish
authenticator.after_create_account(@user, @session) if authenticator
if authenticator && authenticated?
authenticator.after_create_account(@user, @session)
end
@session = nil
end

View File

@ -0,0 +1,36 @@
require 'rails_helper'
RSpec.describe UserAuthenticator do
let(:user) { Fabricate(:user, email: 'test@discourse.org') }
describe "#finish" do
before do
SiteSetting.enable_google_oauth2_logins = true
end
it "should execute provider's callback" do
user.update!(email: 'test@gmail.com')
authenticator = UserAuthenticator.new(user, { authentication: {
authenticator_name: Auth::GoogleOAuth2Authenticator.new.name,
email: user.email,
email_valid: true,
extra_data: { google_user_id: 1 }
}})
expect { authenticator.finish }.to change { GoogleUserInfo.count }.by(1)
end
describe "when session's email is different from user's email" do
it "should not execute provider's callback" do
authenticator = UserAuthenticator.new(user, { authentication: {
authenticator_name: Auth::GoogleOAuth2Authenticator.new.name,
email: 'test@gmail.com',
email_valid: true
}})
expect { authenticator.finish }.to_not change { GoogleUserInfo.count }
end
end
end
end

View File

@ -611,6 +611,8 @@ describe UsersController do
auth = session[:authentication] = {}
auth[:authenticator_name] = 'twitter'
auth[:extra_data] = twitter_auth
auth[:email_valid] = true
auth[:email] = @user.email
post_user