SECURITY: signup without verified email using Google auth

This commit is contained in:
Neil Lalonde 2017-10-16 13:51:35 -04:00
parent 80d0c6df7c
commit 2db66072d7
5 changed files with 46 additions and 4 deletions

View File

@ -351,6 +351,11 @@ class UsersController < ApplicationController
authentication.start authentication.start
if authentication.email_valid? && !authentication.authenticated?
# posted email is different that the already validated one?
return fail_with('login.incorrect_username_email_or_password')
end
activation = UserActivator.new(user, request, session, cookies) activation = UserActivator.new(user, request, session, cookies)
activation.start activation.start

View File

@ -25,12 +25,16 @@ class UserAuthenticator
@session = nil @session = nil
end end
private def email_valid?
@session && @session[:email_valid]
end
def authenticated? def authenticated?
@session && @session[:email] == @user.email && @session[:email_valid] @session && @session[:email] == @user.email && @session[:email_valid]
end end
private
def authenticator def authenticator
if authenticator_name if authenticator_name
@authenticator ||= @authenticator_finder.find_authenticator(authenticator_name) @authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)

View File

@ -31,7 +31,7 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
def after_create_account(user, auth) def after_create_account(user, auth)
data = auth[:extra_data] data = auth[:extra_data]
GoogleUserInfo.create({ user_id: user.id }.merge(data)) GoogleUserInfo.create({ user_id: user.id }.merge(data))
if auth[:email_valid].to_s == 'true' if auth[:email_valid].to_s == 'true' && data[:email]&.downcase == user.email
EmailToken.confirm(user.email_tokens.first.token) EmailToken.confirm(user.email_tokens.first.token)
user.set_automatic_groups user.set_automatic_groups
end end

View File

@ -85,16 +85,31 @@ describe Auth::GoogleOAuth2Authenticator do
context 'after_create_account' do context 'after_create_account' do
it 'confirms email' do it 'confirms email' do
authenticator = Auth::GoogleOAuth2Authenticator.new authenticator = Auth::GoogleOAuth2Authenticator.new
user = Fabricate(:user) user = Fabricate(:user, email: 'realgoogleuser@gmail.com')
session = { session = {
email_valid: "true", email_valid: "true",
extra_data: { extra_data: {
google_user_id: 1 google_user_id: 1,
email: 'realgoogleuser@gmail.com'
} }
} }
authenticator.after_create_account(user, session) authenticator.after_create_account(user, session)
expect(user.email_confirmed?).to eq(true) expect(user.email_confirmed?).to eq(true)
end end
it "doesn't confirm email if it was changed" do
authenticator = Auth::GoogleOAuth2Authenticator.new
user = Fabricate(:user, email: 'changed@gmail.com')
session = {
email_valid: "true",
extra_data: {
google_user_id: 1,
email: 'realgoogleuser@gmail.com'
}
}
authenticator.after_create_account(user, session)
expect(user.email_confirmed?).to eq(false)
end
end end
end end

View File

@ -809,6 +809,24 @@ describe UsersController do
expect(TwitterUserInfo.count).to eq(1) expect(TwitterUserInfo.count).to eq(1)
end end
end end
it "returns an error when email has been changed from the validated email address" do
auth = session[:authentication] = {}
auth[:email_valid] = 'true'
auth[:email] = 'therealone@gmail.com'
post_user
json = JSON.parse(response.body)
expect(json['success']).to eq(false)
expect(json['message']).to be_present
end
it "will create the user successfully if email validation is required" do
auth = session[:authentication] = {}
auth[:email] = post_user_params[:email]
post_user
json = JSON.parse(response.body)
expect(json['success']).to eq(true)
end
end end
context 'after success' do context 'after success' do