From f1d64bbbe577d1784882bea58c5e307b35c1a709 Mon Sep 17 00:00:00 2001 From: David Taylor Date: Thu, 24 Sep 2020 17:06:07 +0100 Subject: [PATCH] FEATURE: Add a site setting to control automatic auth redirect (#10732) This allows administrators to stop automatic redirect to an external authenticator. It only takes effect when there is a single authentication method, and the site is login_required --- app/controllers/application_controller.rb | 4 ++-- config/locales/server.en.yml | 1 + config/site_settings.yml | 2 ++ spec/requests/application_controller_spec.rb | 18 ++++++++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1d4a19ebe7a..f8cc316c5ce 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -707,11 +707,11 @@ class ApplicationController < ActionController::Base def redirect_to_login dont_cache_page - if SiteSetting.enable_sso? + if SiteSetting.external_auth_immediately && SiteSetting.enable_sso? # save original URL in a session so we can redirect after login session[:destination_url] = destination_url redirect_to path('/session/sso') - elsif !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data] + elsif SiteSetting.external_auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data] # Only one authentication provider, direct straight to it. # If authentication_data is present, then we are halfway though registration. Don't redirect offsite cookies[:destination_url] = destination_url diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 559fcccebf5..afb1e819ae2 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1622,6 +1622,7 @@ en: block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords." external_auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside sso_overrides_email, sso_overrides_username and sso_overrides_name. + external_auth_immediately: "Automatically redirect to the external login system without user interaction. This only takes effect when login_required is true, and there is only one external authentication method" enable_sso: "Enable single sign on via an external site (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)" verbose_sso_logging: "Log verbose SSO related diagnostics to /logs" diff --git a/config/site_settings.yml b/config/site_settings.yml index 2a49ef73a40..431c605fa8a 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -424,6 +424,8 @@ login: external_auth_skip_create_confirm: default: false client: true + external_auth_immediately: + default: true enable_sso: client: true default: false diff --git a/spec/requests/application_controller_spec.rb b/spec/requests/application_controller_spec.rb index 2a49f4bfecd..1296935f63f 100644 --- a/spec/requests/application_controller_spec.rb +++ b/spec/requests/application_controller_spec.rb @@ -45,6 +45,24 @@ RSpec.describe ApplicationController do expect(response).to redirect_to("/login") end + it "should not redirect to SSO when external_auth_immediately is disabled" do + SiteSetting.external_auth_immediately = false + SiteSetting.sso_url = 'http://someurl.com' + SiteSetting.enable_sso = true + + get "/" + expect(response).to redirect_to("/login") + end + + it "should not redirect to authenticator when external_auth_immediately is disabled" do + SiteSetting.external_auth_immediately = false + SiteSetting.enable_google_oauth2_logins = true + SiteSetting.enable_local_logins = false + + get "/" + expect(response).to redirect_to("/login") + end + context "with omniauth in test mode" do before do OmniAuth.config.test_mode = true