Revert "Revert "SECURITY: Ensure oAuth authenticated email is the same as created user's email.""

This reverts commit 0e3def7d2b.
This commit is contained in:
Guo Xiang Tan 2017-02-28 11:27:14 +08:00
parent 41c850f31d
commit e6d75f6844
3 changed files with 42 additions and 1 deletions

View File

@ -21,7 +21,10 @@ class UserAuthenticator
end
def finish
authenticator.after_create_account(@user, @session) if authenticator
if authenticator && authenticated?
authenticator.after_create_account(@user, @session)
end
@session = nil
end

View File

@ -0,0 +1,36 @@
require 'rails_helper'
RSpec.describe UserAuthenticator do
let(:user) { Fabricate(:user, email: 'test@discourse.org') }
describe "#finish" do
before do
SiteSetting.enable_google_oauth2_logins = true
end
it "should execute provider's callback" do
user.update!(email: 'test@gmail.com')
authenticator = UserAuthenticator.new(user, { authentication: {
authenticator_name: Auth::GoogleOAuth2Authenticator.new.name,
email: user.email,
email_valid: true,
extra_data: { google_user_id: 1 }
}})
expect { authenticator.finish }.to change { GoogleUserInfo.count }.by(1)
end
describe "when session's email is different from user's email" do
it "should not execute provider's callback" do
authenticator = UserAuthenticator.new(user, { authentication: {
authenticator_name: Auth::GoogleOAuth2Authenticator.new.name,
email: 'test@gmail.com',
email_valid: true
}})
expect { authenticator.finish }.to_not change { GoogleUserInfo.count }
end
end
end
end

View File

@ -611,6 +611,8 @@ describe UsersController do
auth = session[:authentication] = {}
auth[:authenticator_name] = 'twitter'
auth[:extra_data] = twitter_auth
auth[:email_valid] = true
auth[:email] = @user.email
post_user