SECURITY: When enabled only allow Discourse Connect logins

If Discourse Connect is enabled no other methods for account creation or authentication should be allowed.
2025-02-25 18:55:32 -06:00 · 2024-10-24 13:06:55 -06:00
parent 15b43a205b
commit 17bdffc900
9 changed files with 84 additions and 0 deletions
--- a/spec/requests/invites_controller_spec.rb
+++ b/spec/requests/invites_controller_spec.rb
@@ -966,6 +966,14 @@ RSpec.describe InvitesController do
        expect(response.status).to eq(404)
      end

+      it "fails when discourse connect is enabled" do
+        SiteSetting.discourse_connect_url = "https://example.com/sso"
+        SiteSetting.enable_discourse_connect = true
+
+        put "/invites/show/#{invite.invite_key}.json"
+        expect(response.status).to eq(404)
+      end
+
      context "with OmniAuth provider" do
        fab!(:authenticated_email) { "test@example.com" }

--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -3230,6 +3230,22 @@ RSpec.describe SessionController do
          expect(session[:current_user_id]).to eq(nil)
        end

+        it "fails when discourse connect is enabled" do
+          SiteSetting.discourse_connect_url = "https://www.example.com/sso"
+          SiteSetting.enable_discourse_connect = true
+          simulate_localhost_passkey_challenge
+          user.activate
+          user.create_or_fetch_secure_identifier
+          post "/session/passkey/auth.json",
+               params: {
+                 publicKeyCredential:
+                   valid_passkey_auth_data.merge(
+                     { userHandle: Base64.strict_encode64(user.secure_identifier) },
+                   ),
+               }
+          expect(response.status).to eq(403)
+        end
+
        it "logs the user in" do
          simulate_localhost_passkey_challenge
          user.activate
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -785,6 +785,23 @@ RSpec.describe UsersController do
        end
      end

+      context "with discourse connect enabled" do
+        before do
+          SiteSetting.discourse_connect_url = "http://example.com/sso"
+          SiteSetting.enable_discourse_connect = true
+        end
+
+        it "blocks registration for local logins" do
+          SiteSetting.enable_local_logins = true
+          post_user
+
+          response_body = response.parsed_body
+          expect(response_body["message"]).to eq(
+            "New account registrations are only allowed through Discourse Connect.",
+          )
+        end
+      end
+
      context "with local logins disabled" do
        before do
          SiteSetting.enable_local_logins = false