SECURITY: correct edge case when SSO provides unvalidated emails

app/models/discourse_single_sign_on.rb

@@ -162,7 +162,8 @@ class DiscourseSingleSignOn < SingleSignOn
     # Use a mutex here to counter SSO requests that are sent at the same time w
     # the same email payload
     DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do
-      unless user = User.find_by_email(email)
+      user = User.find_by_email(email) if !require_activation
+      if !user
         try_name = name.presence
         try_username = username.presence
 

spec/models/discourse_single_sign_on_spec.rb

@@ -377,6 +377,15 @@ describe DiscourseSingleSignOn do
       sso.require_activation = true
       user = sso.lookup_or_create_user(ip_address)
       expect(user.active).to eq(false)
+
+      user.activate
+
+      sso.external_id = "B"
+
+      expect do
+        sso.lookup_or_create_user(ip_address)
+      end.to raise_error(ActiveRecord::RecordInvalid)
+
     end
 
     it 'does not deactivate user if email provided is capitalized' do