FIX: store information about the login method in the database. (#28054)

Previously in these 2 PRs, we introduced a new site setting `SiteSetting.enforce_second_factor_on_external_auth`. https://github.com/discourse/discourse/pull/27547 https://github.com/discourse/discourse/pull/27674 When disabled, it should enforce 2FA for local login with username and password and skip the requirement when authenticating with oauth2. We stored information about the login method in a secure session but it is not reliable. Therefore, information about the login method is moved to the database.
2025-02-25 18:55:32 -06:00 · 2024-07-24 17:19:58 +10:00
parent 0c13c91f84
commit b64d01bc10
10 changed files with 33 additions and 23 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -140,6 +140,7 @@ class Auth::DefaultCurrentUserProvider
          end

        current_user = @user_token.try(:user)
+        current_user.authenticated_with_oauth = @user_token.authenticated_with_oauth if current_user
      end

      if !current_user
@@ -267,6 +268,7 @@ class Auth::DefaultCurrentUserProvider
        client_ip: @request.ip,
        staff: user.staff?,
        impersonate: opts[:impersonate],
+        authenticated_with_oauth: opts[:authenticated_with_oauth],
      )

    set_auth_cookie!(@user_token.unhashed_auth_token, user, cookie_jar)