FIX: display warning when SSO email is different from invite email (#13804)

In this commit, we skipped frontend validation when email is obfuscated:
https://github.com/discourse/discourse/commit/534008ba24c

However, if email from SSO is different from email from invite, we should still display warning.

app/assets/javascripts/discourse/app/controllers/invites-show.js

@@ -31,6 +31,7 @@ export default Controller.extend(
     accountEmail: alias("email"),
     hiddenEmail: alias("model.hidden_email"),
     emailVerifiedByLink: alias("model.email_verified_by_link"),
+    differentExternalEmail: alias("model.different_external_email"),
     accountUsername: alias("model.username"),
     passwordRequired: notEmpty("accountPassword"),
     successMessage: null,
@@ -130,7 +131,8 @@ export default Controller.extend(
       "authOptions.email",
       "authOptions.email_valid",
       "hiddenEmail",
-      "emailVerifiedByLink"
+      "emailVerifiedByLink",
+      "differentExternalEmail"
     )
     emailValidation(
       email,
@@ -138,9 +140,10 @@ export default Controller.extend(
       externalAuthEmail,
       externalAuthEmailValid,
       hiddenEmail,
-      emailVerifiedByLink
+      emailVerifiedByLink,
+      differentExternalEmail
     ) {
-      if (hiddenEmail) {
+      if (hiddenEmail && !differentExternalEmail) {
         return EmberObject.create({
           ok: true,
           reason: I18n.t("user.email.ok"),

app/assets/javascripts/discourse/tests/acceptance/invite-accept-test.js

@@ -1,6 +1,7 @@
 import {
   acceptance,
   exists,
+  query,
   queryAll,
 } from "discourse/tests/helpers/qunit-helpers";
 import { fillIn, visit } from "@ember/test-helpers";
@@ -22,7 +23,12 @@ function setAuthenticationData(hooks, json) {
   });
 }
 
-function preloadInvite({ link = false, email_verified_by_link = false } = {}) {
+function preloadInvite({
+  link = false,
+  email_verified_by_link = false,
+  different_external_email = false,
+  hidden_email = false,
+} = {}) {
   const info = {
     invited_by: {
       id: 123,
@@ -33,6 +39,8 @@ function preloadInvite({ link = false, email_verified_by_link = false } = {}) {
     },
     username: "invited",
     email_verified_by_link: email_verified_by_link,
+    different_external_email: different_external_email,
+    hidden_email: hidden_email,
   };
 
   if (link) {
@@ -362,6 +370,32 @@ acceptance(
   }
 );
 
+acceptance(
+  "Email Invite link with different external email address",
+  function (needs) {
+    needs.settings({ enable_local_logins: false });
+
+    setAuthenticationData(needs.hooks, {
+      auth_provider: "facebook",
+      email: "foobar+different@example.com",
+      email_valid: true,
+      username: "foobar",
+      name: "barfoo",
+    });
+
+    test("display information that email is invalid", async function (assert) {
+      preloadInvite({ different_external_email: true, hidden_email: true });
+
+      await visit("/invites/myvalidinvitetoken");
+
+      assert.equal(
+        query(".bad").textContent.trim(),
+        "Your invitation email does not match the email authenticated by Facebook"
+      );
+    });
+  }
+);
+
 acceptance(
   "Email Invite link with valid authentication data, valid email token, unverified authentication email",
   function (needs) {

app/controllers/invites_controller.rb

@@ -50,10 +50,13 @@ class InvitesController < ApplicationController
       email = Email.obfuscate(invite.email)
 
       # Show email if the user already authenticated their email
+      different_external_email = false
       if session[:authentication]
         auth_result = Auth::Result.from_session_data(session[:authentication], user: nil)
         if invite.email == auth_result.email
           email = invite.email
+        else
+          different_external_email = true
         end
       end
 
@@ -73,6 +76,10 @@ class InvitesController < ApplicationController
         email_verified_by_link: email_verified_by_link
       }
 
+      if different_external_email
+        info[:different_external_email] = true
+      end
+
       if staged_user = User.where(staged: true).with_email(invite.email).first
         info[:username] = staged_user.username
         info[:user_fields] = staged_user.user_fields