FIX: Return a 404 if the auth session is not present

2017-05-04 15:35:03 -04:00 · 2017-05-04 15:35:03 -04:00 · 777f1f0f47
parent c182dcc64c
commit 777f1f0f47
2 changed files with 9 additions and 0 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -31,6 +31,8 @@ class Users::OmniauthCallbacksController < ApplicationController

  def complete
    auth = request.env["omniauth.auth"]
+    raise Discourse::NotFound unless request.env["omniauth.auth"]
+
    auth[:session] = session

    authenticator = self.class.find_authenticator(params[:provider])
--- a/spec/integration/omniauth_callbacks_spec.rb
+++ b/spec/integration/omniauth_callbacks_spec.rb
@ -16,6 +16,13 @@ RSpec.describe "OmniAuth Callbacks" do
      SiteSetting.enable_google_oauth2_logins = true
    end

+    context "without an `omniauth.auth` env" do
+      it "should return a 404" do
+        get "/auth/eviltrout/callback"
+        expect(response).not_to be_success
+      end
+    end
+
    describe 'when user has been verified' do
      before do
        OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(