FEATURE: API to create user's associated account (#15737)

Discourse users and associated accounts are created or updated when a user logins or connects the account using their account preferences. This new API can be used to create associated accounts and users too, if necessary.
2022-03-03 18:17:02 +02:00 · 2022-03-03 18:17:02 +02:00 · 39ab14531a
parent a7db0ce985
commit 39ab14531a
11 changed files with 260 additions and 4 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -159,6 +159,17 @@ class UsersController < ApplicationController
      end
    end

+    if params[:external_ids]&.is_a?(ActionController::Parameters) && current_user&.admin? && is_api?
+      attributes[:user_associated_accounts] = []
+
+      params[:external_ids].each do |provider_name, provider_uid|
+        authenticator = Discourse.enabled_authenticators.find { |a| a.name == provider_name }
+        raise Discourse::InvalidParameters.new(:external_ids) if !authenticator&.is_managed?
+
+        attributes[:user_associated_accounts] << { provider_name: provider_name, provider_uid: provider_uid }
+      end
+    end
+
    json_result(user, serializer: UserSerializer, additional_errors: [:user_profile, :user_option]) do |u|
      updater = UserUpdater.new(current_user, user)
      updater.update(attributes.permit!)
@ -632,6 +643,7 @@ class UsersController < ApplicationController
    params.require(:username)
    params.require(:invite_code) if SiteSetting.require_invite_code
    params.permit(:user_fields)
+    params.permit(:external_ids)

    unless SiteSetting.allow_new_registrations
      return fail_with("login.new_registrations_disabled")
@ -691,6 +703,18 @@ class UsersController < ApplicationController
      user.custom_fields = fields
    end

+    # Handle associated accounts
+    associations = []
+    if params[:external_ids]&.is_a?(ActionController::Parameters) && current_user&.admin? && is_api?
+      params[:external_ids].each do |provider_name, provider_uid|
+        authenticator = Discourse.enabled_authenticators.find { |a| a.name == provider_name }
+        raise Discourse::InvalidParameters.new(:external_ids) if !authenticator&.is_managed?
+
+        association = UserAssociatedAccount.find_or_initialize_by(provider_name: provider_name, provider_uid: provider_uid)
+        associations << association
+      end
+    end
+
    authentication = UserAuthenticator.new(user, session)

    if !authentication.has_authenticator? && !SiteSetting.enable_local_logins && !(current_user&.admin? && is_api?)
@ -709,11 +733,12 @@ class UsersController < ApplicationController

    # just assign a password if we have an authenticator and no password
    # this is the case for Twitter
-    user.password = SecureRandom.hex if user.password.blank? && authentication.has_authenticator?
+    user.password = SecureRandom.hex if user.password.blank? && (authentication.has_authenticator? || associations.present?)

    if user.save
      authentication.finish
      activation.finish
+      associations.each { |a| a.update!(user: user) }
      user.update_timezone_if_missing(params[:timezone])

      secure_session[HONEYPOT_KEY] = nil
--- a/app/serializers/admin_detailed_user_serializer.rb
+++ b/app/serializers/admin_detailed_user_serializer.rb
@ -35,7 +35,8 @@ class AdminDetailedUserSerializer < AdminUserSerializer
             :second_factor_enabled,
             :can_disable_second_factor,
             :can_delete_sso_record,
-             :api_key_count
+             :api_key_count,
+             :external_ids

  has_one :approved_by, serializer: BasicUserSerializer, embed: :objects
  has_one :suspended_by, serializer: BasicUserSerializer, embed: :objects
@ -145,6 +146,16 @@ class AdminDetailedUserSerializer < AdminUserSerializer
    object.api_keys.active.count
  end

+  def external_ids
+    external_ids = {}
+
+    object.user_associated_accounts.map do |user_associated_account|
+      external_ids[user_associated_account.provider_name] = user_associated_account.provider_uid
+    end
+
+    external_ids
+  end
+
  def can_delete_sso_record
    scope.can_delete_sso_record?(object)
  end
--- a/app/services/user_updater.rb
+++ b/app/services/user_updater.rb
@ -197,6 +197,10 @@ class UserUpdater
        update_allowed_pm_users(attributes[:allowed_pm_usernames])
      end

+      if attributes.key?(:user_associated_accounts)
+        updated_associated_accounts(attributes[:user_associated_accounts])
+      end
+
      name_changed = user.name_changed?
      if (saved = (!save_options || user.user_option.save) && (user_notification_schedule.nil? || user_notification_schedule.save) && user_profile.save && user.save) &&
         (name_changed && old_user_name.casecmp(attributes.fetch(:name)) != 0)
@ -265,6 +269,17 @@ class UserUpdater
    end
  end

+  def updated_associated_accounts(associations)
+    associations.each do |association|
+      user_associated_account = UserAssociatedAccount.find_or_initialize_by(user_id: user.id, provider_name: association[:provider_name])
+      if association[:provider_uid].present?
+        user_associated_account.update!(provider_uid: association[:provider_uid])
+      else
+        user_associated_account.destroy!
+      end
+    end
+  end
+
  private

  attr_reader :user, :guardian
--- a/spec/lib/discourse_spec.rb
+++ b/spec/lib/discourse_spec.rb
@ -141,7 +141,7 @@ describe Discourse do
            'pluginauth'
          end

-          def enabled
+          def enabled?
            true
          end
        end
--- a/spec/requests/admin/users_controller_spec.rb
+++ b/spec/requests/admin/users_controller_spec.rb
@ -48,6 +48,15 @@ RSpec.describe Admin::UsersController do
        get "/admin/users/#{user.id}.json"
        expect(response.status).to eq(200)
      end
+
+      it 'includes associated accounts' do
+        user.user_associated_accounts.create!(provider_name: 'pluginauth', provider_uid: 'pluginauth_uid')
+
+        get "/admin/users/#{user.id}.json"
+        expect(response.status).to eq(200)
+        expect(response.parsed_body['external_ids'].size).to eq(1)
+        expect(response.parsed_body['external_ids']['pluginauth']).to eq('pluginauth_uid')
+      end
    end

    context 'a non-existing user' do
--- a/spec/requests/api/schemas/json/admin_user_response.json
+++ b/spec/requests/api/schemas/json/admin_user_response.json
@ -486,6 +486,9 @@
          ]
        }
      ]
+    },
+    "external_ids": {
+      "type": "object"
    }
  },
  "required": [
@ -547,6 +550,7 @@
    "approved_by",
    "suspended_by",
    "silenced_by",
-    "groups"
+    "groups",
+    "external_ids"
  ]
 }
--- a/spec/requests/api/schemas/json/user_create_request.json
+++ b/spec/requests/api/schemas/json/user_create_request.json
@ -21,6 +21,9 @@
    },
    "user_fields[1]": {
      "type": "boolean"
+    },
+    "external_ids": {
+      "type": "object"
    }
  },
  "required": [
--- a/spec/requests/api/schemas/json/user_update_request.json
+++ b/spec/requests/api/schemas/json/user_update_request.json
@ -0,0 +1,17 @@
+{
+  "additionalProperties": false,
+  "properties": {
+    "name": {
+      "type": "string"
+    },
+    "email": {
+      "type": "string"
+    },
+    "password": {
+      "type": "string"
+    },
+    "external_ids": {
+      "type": "object"
+    }
+  }
+}
--- a/spec/requests/api/schemas/json/user_update_response.json
+++ b/spec/requests/api/schemas/json/user_update_response.json
@ -0,0 +1,15 @@
+{
+  "additionalProperties": false,
+  "properties": {
+    "success": {
+      "type": "string"
+    },
+    "user": {
+      "type": "object"
+    }
+  },
+  "required": [
+    "success",
+    "user"
+  ]
+}
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@ -71,6 +71,32 @@ describe 'users' do
        end
      end
    end
+
+    put 'Update a user' do
+      tags 'Users'
+      operationId 'updateUser'
+      consumes 'application/json'
+
+      parameter name: 'Api-Key', in: :header, type: :string, required: true
+      parameter name: 'Api-Username', in: :header, type: :string, required: true
+      expected_request_schema = load_spec_schema('user_update_request')
+      parameter name: :username, in: :path, type: :string, required: true
+      parameter name: :params, in: :body, schema: expected_request_schema
+
+      produces 'application/json'
+      response '200', 'user updated' do
+        expected_response_schema = load_spec_schema('user_update_response')
+        schema expected_response_schema
+
+        let(:username) { Fabricate(:user).username }
+        let(:params) { { 'name' => 'user' } }
+
+        it_behaves_like "a JSON endpoint", 200 do
+          let(:expected_response_schema) { expected_response_schema }
+          let(:expected_request_schema) { expected_request_schema }
+        end
+      end
+    end
  end

  path '/u/by-external/{external_id}.json' do
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -648,6 +648,69 @@ describe UsersController do
          expect(response.status).to eq(200)
        end
      end
+
+      context 'with external_ids' do
+        fab!(:api_key, refind: false) { Fabricate(:api_key, user: admin) }
+
+        let(:plugin_auth_provider) do
+          authenticator_class = Class.new(Auth::ManagedAuthenticator) do
+            def name
+              'pluginauth'
+            end
+
+            def enabled?
+              true
+            end
+          end
+
+          provider = Auth::AuthProvider.new
+          provider.authenticator = authenticator_class.new
+          provider
+        end
+
+        before do
+          DiscoursePluginRegistry.register_auth_provider(plugin_auth_provider)
+        end
+
+        after do
+          DiscoursePluginRegistry.reset!
+        end
+
+        it 'creates User record' do
+          params = {
+            username: 'foobar',
+            email: 'test@example.com',
+            external_ids: { 'pluginauth' => 'pluginauth_uid' },
+          }
+
+          expect { post "/u.json", params: params, headers: { HTTP_API_KEY: api_key.key } }
+            .to change { UserAssociatedAccount.count }.by(1)
+            .and change { User.count }.by(1)
+
+          expect(response.status).to eq(200)
+
+          user = User.last
+          user_associated_account = UserAssociatedAccount.last
+
+          expect(user.username).to eq('foobar')
+          expect(user.email).to eq('test@example.com')
+          expect(user.user_associated_account_ids).to contain_exactly(user_associated_account.id)
+          expect(user_associated_account.provider_name).to eq('pluginauth')
+          expect(user_associated_account.provider_uid).to eq('pluginauth_uid')
+          expect(user_associated_account.user_id).to eq(user.id)
+        end
+
+        it 'returns error if external ID provider does not exist' do
+          params = {
+            username: 'foobar',
+            email: 'test@example.com',
+            external_ids: { 'pluginauth2' => 'pluginauth_uid' },
+          }
+
+          post "/u.json", params: params, headers: { HTTP_API_KEY: api_key.key }
+          expect(response.status).to eq(400)
+        end
+      end
    end

    context 'when creating a non active user (unconfirmed email)' do
@ -2231,6 +2294,74 @@ describe UsersController do
        end
      end
    end
+
+    context 'with external_ids' do
+      fab!(:api_key, refind: false) { Fabricate(:api_key, user: admin) }
+
+      let(:plugin_auth_provider) do
+        authenticator_class = Class.new(Auth::ManagedAuthenticator) do
+          def name
+            'pluginauth'
+          end
+
+          def enabled?
+            true
+          end
+        end
+
+        provider = Auth::AuthProvider.new
+        provider.authenticator = authenticator_class.new
+        provider
+      end
+
+      before do
+        DiscoursePluginRegistry.register_auth_provider(plugin_auth_provider)
+      end
+
+      after do
+        DiscoursePluginRegistry.reset!
+      end
+
+      it 'can create UserAssociatedAccount records' do
+        params = {
+          external_ids: { 'pluginauth' => 'pluginauth_uid' },
+        }
+
+        expect { put "/u/#{user.username}.json", params: params, headers: { HTTP_API_KEY: api_key.key } }
+          .to change { UserAssociatedAccount.count }.by(1)
+
+        expect(response.status).to eq(200)
+
+        user_associated_account = UserAssociatedAccount.last
+        expect(user.reload.user_associated_account_ids).to contain_exactly(user_associated_account.id)
+        expect(user_associated_account.provider_name).to eq('pluginauth')
+        expect(user_associated_account.provider_uid).to eq('pluginauth_uid')
+        expect(user_associated_account.user_id).to eq(user.id)
+      end
+
+      it 'can destroy UserAssociatedAccount records' do
+        user.user_associated_accounts.create!(provider_name: 'pluginauth', provider_uid: 'pluginauth_uid')
+
+        params = {
+          external_ids: { 'pluginauth' => nil },
+        }
+
+        expect { put "/u/#{user.username}.json", params: params, headers: { HTTP_API_KEY: api_key.key } }
+          .to change { UserAssociatedAccount.count }.by(-1)
+
+        expect(response.status).to eq(200)
+        expect(user.reload.user_associated_account_ids).to be_blank
+      end
+
+      it 'returns error if external ID provider does not exist' do
+        params = {
+          external_ids: { 'pluginauth2' => 'pluginauth_uid' },
+        }
+
+        put "/u/#{user.username}.json", params: params, headers: { HTTP_API_KEY: api_key.key }
+        expect(response.status).to eq(400)
+      end
+    end
  end

  describe '#badge_title' do