SECURITY: GitHub authenticator returning unverified emails
This commit is contained in:
parent
551e8616f5
commit
fdc89b1735
5
Gemfile
5
Gemfile
|
@ -130,7 +130,10 @@ gem 'omniauth-openid'
|
||||||
gem 'openid-redis-store'
|
gem 'openid-redis-store'
|
||||||
gem 'omniauth-facebook'
|
gem 'omniauth-facebook'
|
||||||
gem 'omniauth-twitter'
|
gem 'omniauth-twitter'
|
||||||
gem 'omniauth-github'
|
|
||||||
|
# forked while https://github.com/intridea/omniauth-github/pull/41 is being upstreamd
|
||||||
|
gem 'omniauth-github-discourse', require: 'omniauth-github'
|
||||||
|
|
||||||
gem 'omniauth-oauth2', require: false
|
gem 'omniauth-oauth2', require: false
|
||||||
gem 'omniauth-google-oauth2'
|
gem 'omniauth-google-oauth2'
|
||||||
gem 'oj'
|
gem 'oj'
|
||||||
|
|
|
@ -206,7 +206,7 @@ GEM
|
||||||
rack (~> 1.0)
|
rack (~> 1.0)
|
||||||
omniauth-facebook (1.6.0)
|
omniauth-facebook (1.6.0)
|
||||||
omniauth-oauth2 (~> 1.1)
|
omniauth-oauth2 (~> 1.1)
|
||||||
omniauth-github (1.1.1)
|
omniauth-github-discourse (1.1.2)
|
||||||
omniauth (~> 1.0)
|
omniauth (~> 1.0)
|
||||||
omniauth-oauth2 (~> 1.1)
|
omniauth-oauth2 (~> 1.1)
|
||||||
omniauth-google-oauth2 (0.2.4)
|
omniauth-google-oauth2 (0.2.4)
|
||||||
|
@ -448,7 +448,7 @@ DEPENDENCIES
|
||||||
oj
|
oj
|
||||||
omniauth
|
omniauth
|
||||||
omniauth-facebook
|
omniauth-facebook
|
||||||
omniauth-github
|
omniauth-github-discourse
|
||||||
omniauth-google-oauth2
|
omniauth-google-oauth2
|
||||||
omniauth-oauth2
|
omniauth-oauth2
|
||||||
omniauth-openid
|
omniauth-openid
|
||||||
|
|
|
@ -20,10 +20,11 @@ class Auth::GithubAuthenticator < Auth::Authenticator
|
||||||
}
|
}
|
||||||
|
|
||||||
user_info = GithubUserInfo.find_by(github_user_id: github_user_id)
|
user_info = GithubUserInfo.find_by(github_user_id: github_user_id)
|
||||||
|
result.email_valid = !!data["email_verified"]
|
||||||
|
|
||||||
if user_info
|
if user_info
|
||||||
user = user_info.user
|
user = user_info.user
|
||||||
elsif user = User.find_by_email(email)
|
elsif result.email_valid && (user = User.find_by_email(email))
|
||||||
user_info = GithubUserInfo.create(
|
user_info = GithubUserInfo.create(
|
||||||
user_id: user.id,
|
user_id: user.id,
|
||||||
screen_name: screen_name,
|
screen_name: screen_name,
|
||||||
|
@ -32,7 +33,6 @@ class Auth::GithubAuthenticator < Auth::Authenticator
|
||||||
end
|
end
|
||||||
|
|
||||||
result.user = user
|
result.user = user
|
||||||
result.email_valid = false
|
|
||||||
|
|
||||||
result
|
result
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue