SECURITY: signup without verified email using Google auth
This commit is contained in:
parent
80d0c6df7c
commit
2db66072d7
|
@ -351,6 +351,11 @@ class UsersController < ApplicationController
|
||||||
|
|
||||||
authentication.start
|
authentication.start
|
||||||
|
|
||||||
|
if authentication.email_valid? && !authentication.authenticated?
|
||||||
|
# posted email is different that the already validated one?
|
||||||
|
return fail_with('login.incorrect_username_email_or_password')
|
||||||
|
end
|
||||||
|
|
||||||
activation = UserActivator.new(user, request, session, cookies)
|
activation = UserActivator.new(user, request, session, cookies)
|
||||||
activation.start
|
activation.start
|
||||||
|
|
||||||
|
|
|
@ -25,12 +25,16 @@ class UserAuthenticator
|
||||||
@session = nil
|
@session = nil
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
def email_valid?
|
||||||
|
@session && @session[:email_valid]
|
||||||
|
end
|
||||||
|
|
||||||
def authenticated?
|
def authenticated?
|
||||||
@session && @session[:email] == @user.email && @session[:email_valid]
|
@session && @session[:email] == @user.email && @session[:email_valid]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
def authenticator
|
def authenticator
|
||||||
if authenticator_name
|
if authenticator_name
|
||||||
@authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)
|
@authenticator ||= @authenticator_finder.find_authenticator(authenticator_name)
|
||||||
|
|
|
@ -31,7 +31,7 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
|
||||||
def after_create_account(user, auth)
|
def after_create_account(user, auth)
|
||||||
data = auth[:extra_data]
|
data = auth[:extra_data]
|
||||||
GoogleUserInfo.create({ user_id: user.id }.merge(data))
|
GoogleUserInfo.create({ user_id: user.id }.merge(data))
|
||||||
if auth[:email_valid].to_s == 'true'
|
if auth[:email_valid].to_s == 'true' && data[:email]&.downcase == user.email
|
||||||
EmailToken.confirm(user.email_tokens.first.token)
|
EmailToken.confirm(user.email_tokens.first.token)
|
||||||
user.set_automatic_groups
|
user.set_automatic_groups
|
||||||
end
|
end
|
||||||
|
|
|
@ -85,16 +85,31 @@ describe Auth::GoogleOAuth2Authenticator do
|
||||||
context 'after_create_account' do
|
context 'after_create_account' do
|
||||||
it 'confirms email' do
|
it 'confirms email' do
|
||||||
authenticator = Auth::GoogleOAuth2Authenticator.new
|
authenticator = Auth::GoogleOAuth2Authenticator.new
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user, email: 'realgoogleuser@gmail.com')
|
||||||
session = {
|
session = {
|
||||||
email_valid: "true",
|
email_valid: "true",
|
||||||
extra_data: {
|
extra_data: {
|
||||||
google_user_id: 1
|
google_user_id: 1,
|
||||||
|
email: 'realgoogleuser@gmail.com'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
authenticator.after_create_account(user, session)
|
authenticator.after_create_account(user, session)
|
||||||
expect(user.email_confirmed?).to eq(true)
|
expect(user.email_confirmed?).to eq(true)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't confirm email if it was changed" do
|
||||||
|
authenticator = Auth::GoogleOAuth2Authenticator.new
|
||||||
|
user = Fabricate(:user, email: 'changed@gmail.com')
|
||||||
|
session = {
|
||||||
|
email_valid: "true",
|
||||||
|
extra_data: {
|
||||||
|
google_user_id: 1,
|
||||||
|
email: 'realgoogleuser@gmail.com'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
authenticator.after_create_account(user, session)
|
||||||
|
expect(user.email_confirmed?).to eq(false)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -809,6 +809,24 @@ describe UsersController do
|
||||||
expect(TwitterUserInfo.count).to eq(1)
|
expect(TwitterUserInfo.count).to eq(1)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "returns an error when email has been changed from the validated email address" do
|
||||||
|
auth = session[:authentication] = {}
|
||||||
|
auth[:email_valid] = 'true'
|
||||||
|
auth[:email] = 'therealone@gmail.com'
|
||||||
|
post_user
|
||||||
|
json = JSON.parse(response.body)
|
||||||
|
expect(json['success']).to eq(false)
|
||||||
|
expect(json['message']).to be_present
|
||||||
|
end
|
||||||
|
|
||||||
|
it "will create the user successfully if email validation is required" do
|
||||||
|
auth = session[:authentication] = {}
|
||||||
|
auth[:email] = post_user_params[:email]
|
||||||
|
post_user
|
||||||
|
json = JSON.parse(response.body)
|
||||||
|
expect(json['success']).to eq(true)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'after success' do
|
context 'after success' do
|
||||||
|
|
Loading…
Reference in New Issue