2013-02-12 07:47:22 -06:00
|
|
|
# -*- encoding : utf-8 -*-
|
2019-05-02 17:17:27 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2013-02-12 07:47:22 -06:00
|
|
|
class Users::OmniauthCallbacksController < ApplicationController
|
2017-08-30 23:06:56 -05:00
|
|
|
skip_before_action :redirect_to_login_if_required
|
2013-02-12 07:47:22 -06:00
|
|
|
|
2017-11-15 13:04:26 -06:00
|
|
|
layout "no_ember"
|
2013-02-12 07:47:22 -06:00
|
|
|
|
|
|
|
# need to be able to call this
|
2017-08-30 23:06:56 -05:00
|
|
|
skip_before_action :check_xhr
|
2013-02-12 07:47:22 -06:00
|
|
|
|
2013-07-29 00:13:13 -05:00
|
|
|
# this is the only spot where we allow CSRF, our openid / oauth redirect
|
|
|
|
# will not have a CSRF token, however the payload is all validated so its safe
|
2017-08-30 23:06:56 -05:00
|
|
|
skip_before_action :verify_authenticity_token, only: :complete
|
2013-02-12 07:47:22 -06:00
|
|
|
|
2022-05-17 13:06:08 -05:00
|
|
|
allow_in_staff_writes_only_mode :complete
|
|
|
|
|
2019-08-08 05:57:28 -05:00
|
|
|
def confirm_request
|
|
|
|
self.class.find_authenticator(params[:provider])
|
2019-08-08 07:57:18 -05:00
|
|
|
render locals: { hide_auth_buttons: true }
|
2019-08-08 05:57:28 -05:00
|
|
|
end
|
|
|
|
|
2013-02-12 07:47:22 -06:00
|
|
|
def complete
|
2013-08-23 01:20:43 -05:00
|
|
|
auth = request.env["omniauth.auth"]
|
2017-05-04 14:35:03 -05:00
|
|
|
raise Discourse::NotFound unless request.env["omniauth.auth"]
|
2022-05-17 13:06:08 -05:00
|
|
|
raise Discourse::ReadOnly if @readonly_mode && !staff_writes_only_mode?
|
2017-05-04 14:35:03 -05:00
|
|
|
|
2013-11-19 11:58:12 -06:00
|
|
|
auth[:session] = session
|
2013-08-01 00:59:57 -05:00
|
|
|
|
2013-08-23 01:20:43 -05:00
|
|
|
authenticator = self.class.find_authenticator(params[:provider])
|
2013-03-04 12:44:41 -06:00
|
|
|
|
2018-12-11 07:19:00 -06:00
|
|
|
if session.delete(:auth_reconnect) && authenticator.can_connect_existing_user? && current_user
|
2021-08-02 11:57:52 -05:00
|
|
|
path = persist_auth_token(auth)
|
|
|
|
return redirect_to path
|
2018-07-23 10:51:57 -05:00
|
|
|
else
|
2021-08-06 09:26:11 -05:00
|
|
|
DiscourseEvent.trigger(:before_auth, authenticator, auth, session, cookies, request)
|
2018-07-23 10:51:57 -05:00
|
|
|
@auth_result = authenticator.after_authenticate(auth)
|
2021-03-31 07:40:58 -05:00
|
|
|
@auth_result.user = nil if @auth_result&.user&.staged # Treat staged users the same as unregistered users
|
2021-08-06 09:26:11 -05:00
|
|
|
DiscourseEvent.trigger(:after_auth, authenticator, @auth_result, session, cookies, request)
|
2018-07-23 10:51:57 -05:00
|
|
|
end
|
2013-08-01 00:59:57 -05:00
|
|
|
|
2019-05-15 03:55:31 -05:00
|
|
|
preferred_origin = request.env["omniauth.origin"]
|
2018-01-26 11:52:27 -06:00
|
|
|
|
2021-03-31 04:23:12 -05:00
|
|
|
if session[:destination_url].present?
|
|
|
|
preferred_origin = session[:destination_url]
|
|
|
|
session.delete(:destination_url)
|
|
|
|
elsif SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
|
2019-05-15 03:55:31 -05:00
|
|
|
preferred_origin = session_sso_provider_url + "?" + payload
|
2018-10-04 13:31:08 -05:00
|
|
|
elsif cookies[:destination_url].present?
|
2019-05-15 03:55:31 -05:00
|
|
|
preferred_origin = cookies[:destination_url]
|
2016-09-15 22:48:50 -05:00
|
|
|
cookies.delete(:destination_url)
|
|
|
|
end
|
|
|
|
|
2019-05-15 03:55:31 -05:00
|
|
|
if preferred_origin.present?
|
2018-03-28 03:20:08 -05:00
|
|
|
parsed =
|
|
|
|
begin
|
2019-05-15 03:55:31 -05:00
|
|
|
URI.parse(preferred_origin)
|
2018-08-14 05:23:32 -05:00
|
|
|
rescue URI::Error
|
2018-03-28 03:20:08 -05:00
|
|
|
end
|
|
|
|
|
2020-12-03 15:27:55 -06:00
|
|
|
if valid_origin?(parsed)
|
2019-05-02 17:17:27 -05:00
|
|
|
@origin = +"#{parsed.path}"
|
2019-03-19 07:39:13 -05:00
|
|
|
@origin << "?#{parsed.query}" if parsed.query
|
2015-10-12 20:23:34 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-10-09 06:51:24 -05:00
|
|
|
@origin = Discourse.base_path("/") if @origin.blank?
|
2015-10-12 20:23:34 -05:00
|
|
|
|
2019-05-15 03:55:31 -05:00
|
|
|
@auth_result.destination_url = @origin
|
2020-11-23 05:06:08 -06:00
|
|
|
@auth_result.authenticator_name = authenticator.name
|
2019-03-19 07:39:13 -05:00
|
|
|
|
2020-11-23 05:06:08 -06:00
|
|
|
return render_auth_result_failure if @auth_result.failed?
|
|
|
|
|
2022-05-17 13:06:08 -05:00
|
|
|
raise Discourse::ReadOnly if staff_writes_only_mode? && !@auth_result.user&.staff?
|
|
|
|
|
2020-11-23 05:06:08 -06:00
|
|
|
complete_response_data
|
|
|
|
|
|
|
|
return render_auth_result_failure if @auth_result.failed?
|
|
|
|
|
2021-08-02 11:57:52 -05:00
|
|
|
client_hash = @auth_result.to_client_hash
|
|
|
|
if authenticator.can_connect_existing_user? &&
|
|
|
|
(SiteSetting.enable_local_logins || Discourse.enabled_authenticators.count > 1)
|
|
|
|
# There is more than one login method, and users are allowed to manage associations themselves
|
|
|
|
client_hash[:associate_url] = persist_auth_token(auth)
|
|
|
|
end
|
|
|
|
|
2020-11-23 05:06:08 -06:00
|
|
|
cookies["_bypass_cache"] = true
|
|
|
|
cookies[:authentication_data] = { value: client_hash.to_json, path: Discourse.base_path("/") }
|
|
|
|
redirect_to @origin
|
2013-02-12 07:47:22 -06:00
|
|
|
end
|
|
|
|
|
2020-12-03 15:27:55 -06:00
|
|
|
def valid_origin?(uri)
|
|
|
|
return false if uri.nil?
|
|
|
|
return false if uri.host.present? && uri.host != Discourse.current_hostname
|
|
|
|
return false if uri.path.start_with?("#{Discourse.base_path}/auth/")
|
|
|
|
return false if uri.path.start_with?("#{Discourse.base_path}/login")
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
2013-02-14 13:11:13 -06:00
|
|
|
def failure
|
2021-10-26 07:46:25 -05:00
|
|
|
error_key = params[:message].to_s.gsub(/[^\w-]/, "")
|
|
|
|
error_key = "generic" if error_key.blank?
|
|
|
|
|
|
|
|
flash[:error] = I18n.t(
|
|
|
|
"login.omniauth_error.#{error_key}",
|
|
|
|
default: I18n.t("login.omniauth_error.generic"),
|
|
|
|
).html_safe
|
|
|
|
|
2017-11-15 13:04:26 -06:00
|
|
|
render "failure"
|
2013-02-14 13:11:13 -06:00
|
|
|
end
|
|
|
|
|
2013-08-23 01:20:43 -05:00
|
|
|
def self.find_authenticator(name)
|
2018-07-23 10:51:57 -05:00
|
|
|
Discourse.enabled_authenticators.each do |authenticator|
|
|
|
|
return authenticator if authenticator.name == name
|
2013-08-17 23:43:59 -05:00
|
|
|
end
|
2018-07-23 10:51:57 -05:00
|
|
|
raise Discourse::InvalidAccess.new(I18n.t("authenticator_not_found"))
|
2013-02-12 07:47:22 -06:00
|
|
|
end
|
|
|
|
|
2013-08-23 01:20:43 -05:00
|
|
|
protected
|
2013-02-25 22:28:32 -06:00
|
|
|
|
2020-11-23 05:06:08 -06:00
|
|
|
def render_auth_result_failure
|
|
|
|
flash[:error] = @auth_result.failed_reason.html_safe
|
|
|
|
render "failure"
|
|
|
|
end
|
|
|
|
|
2014-09-30 11:24:22 -05:00
|
|
|
def complete_response_data
|
2015-06-24 11:12:43 -05:00
|
|
|
if @auth_result.user
|
|
|
|
user_found(@auth_result.user)
|
2020-12-03 15:27:55 -06:00
|
|
|
elsif invite_required?
|
2015-06-24 11:12:43 -05:00
|
|
|
@auth_result.requires_invite = true
|
2014-09-30 11:24:22 -05:00
|
|
|
else
|
2015-06-24 11:12:43 -05:00
|
|
|
session[:authentication] = @auth_result.session_data
|
2014-09-30 11:24:22 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-12-03 15:27:55 -06:00
|
|
|
def invite_required?
|
2021-03-02 01:13:04 -06:00
|
|
|
if SiteSetting.invite_only?
|
|
|
|
path = Discourse.route_for(@origin)
|
|
|
|
return true unless path
|
|
|
|
return true if path[:controller] != "invites" && path[:action] != "show"
|
|
|
|
!Invite.exists?(invite_key: path[:id])
|
|
|
|
end
|
2020-12-03 15:27:55 -06:00
|
|
|
end
|
|
|
|
|
2013-08-23 01:20:43 -05:00
|
|
|
def user_found(user)
|
2020-01-15 04:27:12 -06:00
|
|
|
if user.has_any_second_factor_methods_enabled?
|
2018-03-01 01:47:07 -06:00
|
|
|
@auth_result.omniauth_disallow_totp = true
|
2018-05-29 23:14:04 -05:00
|
|
|
@auth_result.email = user.email
|
2018-03-01 01:47:07 -06:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2021-03-31 07:40:58 -05:00
|
|
|
# automatically activate any account if a provider marked the email valid
|
2017-02-28 21:58:24 -06:00
|
|
|
if @auth_result.email_valid && @auth_result.email == user.email
|
2019-08-28 06:49:11 -05:00
|
|
|
if !user.active || !user.email_confirmed?
|
|
|
|
user.update!(password: SecureRandom.hex)
|
2019-08-28 08:43:25 -05:00
|
|
|
|
|
|
|
# Ensure there is an active email token
|
2021-11-25 01:34:39 -06:00
|
|
|
if !EmailToken.where(email: user.email, confirmed: true).exists? &&
|
|
|
|
!user.email_tokens.active.where(email: user.email).exists?
|
|
|
|
user.email_tokens.create!(email: user.email, scope: EmailToken.scopes[:signup])
|
2019-08-28 08:43:25 -05:00
|
|
|
end
|
|
|
|
|
2019-08-28 06:49:11 -05:00
|
|
|
user.activate
|
|
|
|
end
|
2017-12-12 06:08:57 -06:00
|
|
|
if user.registration_ip_address.blank?
|
|
|
|
user.update!(registration_ip_address: request.remote_ip)
|
2023-01-09 06:20:10 -06:00
|
|
|
end
|
2013-08-01 21:03:53 -05:00
|
|
|
end
|
|
|
|
|
2015-03-02 11:13:10 -06:00
|
|
|
if ScreenedIpAddress.should_block?(request.remote_ip)
|
2015-06-24 11:12:43 -05:00
|
|
|
@auth_result.not_allowed_from_ip_address = true
|
2015-03-02 11:13:10 -06:00
|
|
|
elsif ScreenedIpAddress.block_admin_login?(user, request.remote_ip)
|
2015-06-24 11:12:43 -05:00
|
|
|
@auth_result.admin_not_allowed_from_ip_address = true
|
2014-09-04 17:50:27 -05:00
|
|
|
elsif Guardian.new(user).can_access_forum? && user.active # log on any account that is active with forum access
|
2020-11-23 05:06:08 -06:00
|
|
|
begin
|
|
|
|
user.save! if @auth_result.apply_user_attributes!
|
2021-12-09 06:30:27 -06:00
|
|
|
@auth_result.apply_associated_attributes!
|
2020-11-23 05:06:08 -06:00
|
|
|
rescue ActiveRecord::RecordInvalid => e
|
|
|
|
@auth_result.failed = true
|
|
|
|
@auth_result.failed_reason = e.record.errors.full_messages.join(", ")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2013-08-23 01:20:43 -05:00
|
|
|
log_on_user(user)
|
2014-01-21 15:53:46 -06:00
|
|
|
Invite.invalidate_for_email(user.email) # invite link can't be used to log in anymore
|
|
|
|
session[:authentication] = nil # don't carry around old auth info, perhaps move elsewhere
|
2015-06-24 11:12:43 -05:00
|
|
|
@auth_result.authenticated = true
|
2013-03-01 09:23:21 -06:00
|
|
|
else
|
2013-08-28 02:18:31 -05:00
|
|
|
if SiteSetting.must_approve_users? && !user.approved?
|
2015-06-24 11:12:43 -05:00
|
|
|
@auth_result.awaiting_approval = true
|
2013-07-11 01:02:18 -05:00
|
|
|
else
|
2015-06-24 11:12:43 -05:00
|
|
|
@auth_result.awaiting_activation = true
|
2013-07-11 01:02:18 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-08-02 11:57:52 -05:00
|
|
|
def persist_auth_token(auth)
|
|
|
|
secret = SecureRandom.hex
|
|
|
|
secure_session.set "#{Users::AssociateAccountsController.key(secret)}",
|
|
|
|
auth.to_json,
|
|
|
|
expires: 10.minutes
|
|
|
|
"#{Discourse.base_path}/associate/#{secret}"
|
|
|
|
end
|
2013-02-12 07:47:22 -06:00
|
|
|
end
|