SECURITY: signup without verified email using Google auth

app/controllers/users_controller.rb

@@ -351,6 +351,11 @@ class UsersController < ApplicationController
 
     authentication.start
 
+    if authentication.email_valid? && !authentication.authenticated?
+      # posted email is different that the already validated one?
+      return fail_with('login.incorrect_username_email_or_password')
+    end
+
     activation = UserActivator.new(user, request, session, cookies)
     activation.start
 

app/services/user_authenticator.rb

@@ -25,12 +25,16 @@ class UserAuthenticator
     @session = nil
   end
 
-  private
+  def email_valid?
+    @session && @session[:email_valid]
+  end
 
   def authenticated?
     @session && @session[:email] == @user.email && @session[:email_valid]
   end
 
+  private
+
   def authenticator
     if authenticator_name
       @authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)

lib/auth/google_oauth2_authenticator.rb

@@ -31,7 +31,7 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
   def after_create_account(user, auth)
     data = auth[:extra_data]
     GoogleUserInfo.create({ user_id: user.id }.merge(data))
-    if auth[:email_valid].to_s == 'true'
+    if auth[:email_valid].to_s == 'true' && data[:email]&.downcase == user.email
       EmailToken.confirm(user.email_tokens.first.token)
       user.set_automatic_groups
     end

spec/components/auth/google_oauth2_authenticator_spec.rb

@@ -85,16 +85,31 @@ describe Auth::GoogleOAuth2Authenticator do
   context 'after_create_account' do
     it 'confirms email' do
       authenticator = Auth::GoogleOAuth2Authenticator.new
-      user = Fabricate(:user)
+      user = Fabricate(:user, email: 'realgoogleuser@gmail.com')
       session = {
         email_valid: "true",
         extra_data: {
-          google_user_id: 1
+          google_user_id: 1,
+          email: 'realgoogleuser@gmail.com'
         }
       }
       authenticator.after_create_account(user, session)
       expect(user.email_confirmed?).to eq(true)
     end
+
+    it "doesn't confirm email if it was changed" do
+      authenticator = Auth::GoogleOAuth2Authenticator.new
+      user = Fabricate(:user, email: 'changed@gmail.com')
+      session = {
+        email_valid: "true",
+        extra_data: {
+          google_user_id: 1,
+          email: 'realgoogleuser@gmail.com'
+        }
+      }
+      authenticator.after_create_account(user, session)
+      expect(user.email_confirmed?).to eq(false)
+    end
   end
 
 end

spec/controllers/users_controller_spec.rb

@@ -809,6 +809,24 @@ describe UsersController do
           expect(TwitterUserInfo.count).to eq(1)
         end
       end
+
+      it "returns an error when email has been changed from the validated email address" do
+        auth = session[:authentication] = {}
+        auth[:email_valid] = 'true'
+        auth[:email] = 'therealone@gmail.com'
+        post_user
+        json = JSON.parse(response.body)
+        expect(json['success']).to eq(false)
+        expect(json['message']).to be_present
+      end
+
+      it "will create the user successfully if email validation is required" do
+        auth = session[:authentication] = {}
+        auth[:email] = post_user_params[:email]
+        post_user
+        json = JSON.parse(response.body)
+        expect(json['success']).to eq(true)
+      end
     end
 
     context 'after success' do