Class: Auth::ManagedAuthenticator

Inherits:

Authenticator

• Object
• Authenticator
• Auth::ManagedAuthenticator

Defined in:

lib/auth/managed_authenticator.rb

Direct Known Subclasses

DiscordAuthenticator, FacebookAuthenticator, GithubAuthenticator, GoogleOAuth2Authenticator, TwitterAuthenticator

Instance Method Summary

• #after_authenticate(auth_token, existing_account: nil) ⇒ Object
• #after_create_account(user, auth_result) ⇒ Object
• #always_update_user_email? ⇒ Boolean
• #can_connect_existing_user? ⇒ Boolean
• #can_revoke? ⇒ Boolean
• #description_for_auth_hash(auth_token) ⇒ Object
• #description_for_user(user) ⇒ Object
• #find_user_by_email(auth_token) ⇒ Object
• #find_user_by_username(auth_token) ⇒ Object
• #is_managed? ⇒ Boolean
• #match_by_email ⇒ Object

  These three methods are designed to be overridden by child classes.

• #match_by_username ⇒ Object

  Depending on the authenticator, this could be insecure, so it’s disabled by default.

• #primary_email_verified?(auth_token) ⇒ Boolean
• #retrieve_avatar(user, url) ⇒ Object
• #retrieve_profile(user, info) ⇒ Object
• #revoke(user, skip_remote: false) ⇒ Object

Methods inherited from Authenticator

#enabled?, #name, #provides_groups?, #register_middleware

Instance Method Details

#after_authenticate(auth_token, existing_account: nil) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 57

def after_authenticate(auth_token, existing_account: nil)
  # Try and find an association for this account
  association =
    UserAssociatedAccount.find_or_initialize_by(
      provider_name: auth_token[:provider],
      provider_uid: auth_token[:uid],
    )

  # Reconnecting to existing account
  if can_connect_existing_user? && existing_account &&
       (association.user.nil? || existing_account.id != association.user_id)
    association.user = existing_account
  end

  # Matching an account by email
  if match_by_email && association.user.nil? && (user = find_user_by_email(auth_token))
    UserAssociatedAccount.where(user: user, provider_name: auth_token[:provider]).destroy_all # Destroy existing associations for the new user
    association.user = user
  end

  # Matching an account by username
  if match_by_username && association.user.nil? && SiteSetting.username_change_period.zero? &&
       (user = find_user_by_username(auth_token))
    UserAssociatedAccount.where(user: user, provider_name: auth_token[:provider]).destroy_all # Destroy existing associations for the new user
    association.user = user
  end

  # Update all the metadata in the association:
  association.info = auth_token[:info] || {}
  association.credentials = auth_token[:credentials] || {}
  association.extra = auth_token[:extra] || {}

  association.last_used = Time.zone.now

  # Save to the DB. Do this even if we don't have a user - it might be linked up later in after_create_account
  association.save!

  # Update avatar/profile
  retrieve_avatar(association.user, association.info["image"])
  retrieve_profile(association.user, association.info)

  # Build the Auth::Result object
  result = Auth::Result.new
  info = auth_token[:info]
  result.email = info[:email]
  result.name =
    (
      if (info[:first_name] && info[:last_name])
        "#{info[:first_name]} #{info[:last_name]}"
      else
        info[:name]
      end
    )
  if result.name.present? && result.name == result.email
    # Some IDPs send the email address in the name parameter (e.g. Auth0 with default configuration)
    # We add some generic protection here, so that users don't accidently make their email addresses public
    result.name = nil
  end
  result.username = info[:nickname]
  result.email_valid = primary_email_verified?(auth_token) if result.email.present?
  result.overrides_email = always_update_user_email?
  result.extra_data = { provider: auth_token[:provider], uid: auth_token[:uid] }
  result.user = association.user

  result
end

#after_create_account(user, auth_result) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 124

def after_create_account(user, auth_result)
  auth_token = auth_result[:extra_data]
  association =
    UserAssociatedAccount.find_or_initialize_by(
      provider_name: auth_token[:provider],
      provider_uid: auth_token[:uid],
    )
  association.user = user
  association.save!

  retrieve_avatar(user, association.info["image"])
  retrieve_profile(user, association.info)

  auth_result.apply_associated_attributes!
end

#always_update_user_email? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/managed_authenticator.rb', line 46

def always_update_user_email?
  false
end

#can_connect_existing_user? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/managed_authenticator.rb', line 42

def can_connect_existing_user?
  true
end

#can_revoke? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/managed_authenticator.rb', line 38

def can_revoke?
  true
end

#description_for_auth_hash(auth_token) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 16

def description_for_auth_hash(auth_token)
  return if auth_token&.info.nil?
  info = auth_token.info
  info["email"] || info["nickname"] || info["name"]
end

#description_for_user(user) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 10

def description_for_user(user)
  associated_account = UserAssociatedAccount.find_by(provider_name: name, user_id: user.id)
  return "" if associated_account.nil?
  description_for_auth_hash(associated_account) || I18n.t("associated_accounts.connected")
end

#find_user_by_email(auth_token) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 140

def find_user_by_email(auth_token)
  email = auth_token.dig(:info, :email)
  User.find_by_email(email) if email && primary_email_verified?(auth_token)
end

#find_user_by_username(auth_token) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 145

def find_user_by_username(auth_token)
  username = auth_token.dig(:info, :nickname)
  User.find_by_username(username) if username
end

#is_managed? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/managed_authenticator.rb', line 4

def is_managed?
  # Tells core that it can safely assume this authenticator
  # uses UserAssociatedAccount
  true
end

#match_by_email ⇒ Object

These three methods are designed to be overridden by child classes

# File 'lib/auth/managed_authenticator.rb', line 23

def match_by_email
  true
end

#match_by_username ⇒ Object

Depending on the authenticator, this could be insecure, so it’s disabled by default

# File 'lib/auth/managed_authenticator.rb', line 28

def match_by_username
  false
end

#primary_email_verified?(auth_token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/managed_authenticator.rb', line 32

def primary_email_verified?(auth_token)
  # Omniauth providers should only provide verified emails in the :info hash.
  # This method allows additional checks to be added
  false
end

#retrieve_avatar(user, url) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 150

def retrieve_avatar(user, url)
  return unless user && url
  return if user.user_avatar.try(:custom_upload_id).present?
  Jobs.enqueue(:download_avatar_from_url, url: url, user_id: user.id, override_gravatar: false)
end

#retrieve_profile(user, info) ⇒ Object

# File 'lib/auth/managed_authenticator.rb', line 156

def retrieve_profile(user, info)
  return unless user

  bio = info["description"]
  location = info["location"]

  if bio || location
    profile = user.user_profile
    profile.bio_raw = bio unless profile.bio_raw.present?
    profile.location = location unless profile.location.present?
    profile.save
  end
end

#revoke(user, skip_remote: false) ⇒ Object

Raises:

• (Discourse::NotFound)

# File 'lib/auth/managed_authenticator.rb', line 50

def revoke(user, skip_remote: false)
  association = UserAssociatedAccount.find_by(provider_name: name, user_id: user.id)
  raise Discourse::NotFound if association.nil?
  association.destroy!
  true
end