Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Check for email verification status during login (#92)
This commit also includes a migration which will deactivate any users with existing connections to unverified-email Patreon accounts. They will be asked to verify their email on their next login.
  • Loading branch information
davidtaylorhq committed Oct 26, 2022
1 parent 0c88b9b commit 846d012
Show file tree
Hide file tree
Showing 3 changed files with 70 additions and 0 deletions.
@@ -0,0 +1,18 @@
# frozen_string_literal: true

class DeactivateUnverifiedEmailPatreonAccounts < ActiveRecord::Migration[6.1]
def up
execute <<~SQL
UPDATE users SET active = false
WHERE users.id IN (
SELECT user_id FROM user_associated_accounts
WHERE provider_name = 'patreon'
AND extra -> 'raw_info' -> 'data' -> 'attributes' ->> 'is_email_verified' = 'false'
)
SQL
end

def down
# noop
end
end
@@ -0,0 +1,47 @@
# frozen_string_literal: true

class DeleteUnverifiedPatreonUserInfo < ActiveRecord::Migration[6.1]
def up
execute <<~SQL
DELETE FROM user_auth_tokens
WHERE user_id IN (
SELECT user_id
FROM user_associated_accounts
WHERE provider_name = 'patreon'
AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info', 'data', 'attributes', 'is_email_verified')::text, 'false') <> 'true'
)
SQL

execute <<~SQL
UPDATE user_api_keys
SET revoked_at = NOW()
WHERE user_id IN (
SELECT user_id
FROM user_associated_accounts
WHERE provider_name = 'patreon'
AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info', 'data', 'attributes', 'is_email_verified')::text, 'false') <> 'true'
)
SQL

execute <<~SQL
UPDATE api_keys
SET revoked_at = NOW()
WHERE created_by_id IN (
SELECT user_id
FROM user_associated_accounts
WHERE provider_name = 'patreon'
AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info', 'data', 'attributes', 'is_email_verified')::text, 'false') <> 'true'
)
SQL

execute <<~SQL
DELETE FROM user_associated_accounts
WHERE provider_name = 'patreon'
AND COALESCE(JSON_EXTRACT_PATH(extra::json, 'raw_info', 'data', 'attributes', 'is_email_verified')::text, 'false') <> 'true'
SQL
end

def down
# noop
end
end
5 changes: 5 additions & 0 deletions plugin.rb
Expand Up @@ -178,6 +178,7 @@ def custom_build_access_token
info do
{
email: raw_info['data']['attributes']['email'],
email_verified: raw_info['data']['attributes']['is_email_verified'],
name: raw_info['data']['attributes']['full_name']
}
end
Expand Down Expand Up @@ -234,6 +235,10 @@ def after_authenticate(auth_token, existing_account: nil)
def enabled?
SiteSetting.patreon_login_enabled
end

def primary_email_verified?(auth_token)
auth_token[:info][:email_verified]
end
end

auth_provider authenticator: Auth::PatreonAuthenticator.new

0 comments on commit 846d012

Please sign in to comment.