@ -19,17 +19,18 @@ module User::Omniauthable
end
end
class_methods do
class_methods do
def find_for_o auth( auth , signed_in_resource = nil )
def find_for_o mni auth( auth , signed_in_resource = nil )
# EOLE-SSO Patch
# EOLE-SSO Patch
auth . uid = ( auth . uid [ 0 ] [ :uid ] || auth . uid [ 0 ] [ :user ] ) if auth . uid . is_a? Hashie :: Array
auth . uid = ( auth . uid [ 0 ] [ :uid ] || auth . uid [ 0 ] [ :user ] ) if auth . uid . is_a? Hashie :: Array
identity = Identity . find_for_o auth( auth )
identity = Identity . find_for_o mni auth( auth )
# If a signed_in_resource is provided it always overrides the existing user
# If a signed_in_resource is provided it always overrides the existing user
# to prevent the identity being locked with accidentally created accounts.
# to prevent the identity being locked with accidentally created accounts.
# Note that this may leave zombie accounts (with no associated identity) which
# Note that this may leave zombie accounts (with no associated identity) which
# can be cleaned up at a later date.
# can be cleaned up at a later date.
user = signed_in_resource || identity . user
user = signed_in_resource || identity . user
user || = create_for_oauth ( auth )
user || = reattach_for_auth ( auth )
user || = create_for_auth ( auth )
if identity . user . nil?
if identity . user . nil?
identity . user = user
identity . user = user
@ -39,19 +40,35 @@ module User::Omniauthable
user
user
end
end
def create_for_oauth ( auth )
private
# Check if the user exists with provided email. If no email was provided,
# we assign a temporary email and ask the user to verify it on
# the next step via Auth::SetupController.show
strategy = Devise . omniauth_configs [ auth . provider . to_sym ] . strategy
def reattach_for_auth ( auth )
assume_verified = strategy & . security & . assume_email_is_verified
# If allowed, check if a user exists with the provided email address,
email_is_verified = auth . info . verified || auth . info . verified_email || auth . info . email_verified || assume_verified
# and return it if they does not have an associated identity with the
email = auth . info . verified_email || auth . info . email
# current authentication provider.
# This can be used to provide a choice of alternative auth providers
# or provide smooth gradual transition between multiple auth providers,
# but this is discouraged because any insecure provider will put *all*
# local users at risk, regardless of which provider they registered with.
return unless ENV [ 'ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH' ] == 'true'
user = User . find_by ( email : email ) if email_is_verified
email , email_is_verified = email_from_auth ( auth )
return unless email_is_verified
return user unless user . nil?
user = User . find_by ( email : email )
return if user . nil? || Identity . exists? ( provider : auth . provider , user_id : user . id )
user
end
def create_for_auth ( auth )
# Create a user for the given auth params. If no email was provided,
# we assign a temporary email and ask the user to verify it on
# the next step via Auth::SetupController.show
email , email_is_verified = email_from_auth ( auth )
user = User . new ( user_params_from_auth ( email , auth ) )
user = User . new ( user_params_from_auth ( email , auth ) )
@ -66,7 +83,14 @@ module User::Omniauthable
user
user
end
end
private
def email_from_auth ( auth )
strategy = Devise . omniauth_configs [ auth . provider . to_sym ] . strategy
assume_verified = strategy & . security & . assume_email_is_verified
email_is_verified = auth . info . verified || auth . info . verified_email || auth . info . email_verified || assume_verified
email = auth . info . verified_email || auth . info . email
[ email , email_is_verified ]
end
def user_params_from_auth ( email , auth )
def user_params_from_auth ( email , auth )
{
{