Class: Auth::GoogleOAuth2Authenticator

Inherits:
ManagedAuthenticator show all
Defined in:
lib/auth/google_oauth2_authenticator.rb

Constant Summary collapse

GROUPS_SCOPE =
"https://www.googleapis.com/auth/admin.directory.group.readonly"
GROUPS_DOMAIN =
"admin.googleapis.com"
GROUPS_PATH =
"/admin/directory/v1/groups"
OAUTH2_BASE_URL =
"https://oauth2.googleapis.com"

Instance Method Summary collapse

Methods inherited from ManagedAuthenticator

#after_create_account, #always_update_user_email?, #can_connect_existing_user?, #can_revoke?, #description_for_auth_hash, #description_for_user, #find_user_by_email, #find_user_by_username, #is_managed?, #match_by_email, #match_by_username, #retrieve_avatar, #retrieve_profile, #revoke

Methods inherited from Authenticator

#after_create_account, #can_connect_existing_user?, #can_revoke?, #description_for_auth_hash, #description_for_user, #revoke

Instance Method Details

#after_authenticate(auth_token, existing_account: nil) ⇒ Object



57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/auth/google_oauth2_authenticator.rb', line 57

def after_authenticate(auth_token, existing_account: nil)
  groups = provides_groups? ? raw_groups(auth_token.uid) : nil
  auth_token.extra[:raw_groups] = groups if groups

  result = super

  if groups
    result.associated_groups =
      groups.map { |group| group.with_indifferent_access.slice(:id, :name) }
  end

  result
end

#enabled?Boolean

Returns:

  • (Boolean)


13
14
15
# File 'lib/auth/google_oauth2_authenticator.rb', line 13

def enabled?
  SiteSetting.enable_google_oauth2_logins
end

#nameObject



9
10
11
# File 'lib/auth/google_oauth2_authenticator.rb', line 9

def name
  "google_oauth2"
end

#primary_email_verified?(auth_token) ⇒ Boolean

Returns:

  • (Boolean)


17
18
19
20
21
# File 'lib/auth/google_oauth2_authenticator.rb', line 17

def primary_email_verified?(auth_token)
  # note, emails that come back from google via omniauth are always valid
  # this protects against future regressions
  auth_token[:extra][:raw_info][:email_verified]
end

#provides_groups?Boolean

Returns:

  • (Boolean)


71
72
73
74
75
# File 'lib/auth/google_oauth2_authenticator.rb', line 71

def provides_groups?
  SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups &&
    SiteSetting..present? &&
    SiteSetting..present?
end

#register_middleware(omniauth) ⇒ Object



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# File 'lib/auth/google_oauth2_authenticator.rb', line 23

def register_middleware(omniauth)
  options = {
    setup:
      lambda do |env|
        opts = env["omniauth.strategy"].options
        opts[:client_id] = SiteSetting.google_oauth2_client_id
        opts[:client_secret] = SiteSetting.google_oauth2_client_secret

        if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?
          opts[:hd] = google_oauth2_hd
        end

        if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
          opts[:prompt] = google_oauth2_prompt.gsub("|", " ")
        end
        opts[:client_options][:connection_build] = lambda do |builder|
          if SiteSetting.google_oauth2_verbose_logging
            builder.response :logger,
                             Rails.logger,
                             { bodies: true, formatter: Auth::OauthFaradayFormatter }
          end
          builder.request :url_encoded
          builder.adapter FinalDestination::FaradayAdapter
        end
        # All the data we need for the `info` and `credentials` auth hash
        # are obtained via the user info API, not the JWT. Using and verifying
        # the JWT can fail due to clock skew, so let's skip it completely.
        # https://github.com/zquestz/omniauth-google-oauth2/pull/392
        opts[:skip_jwt] = true
      end,
  }
  omniauth.provider :google_oauth2, options
end