go-gitea · 6543 · Apr 14, 2021 · Oct 19, 2018 · Oct 19, 2018 · Oct 19, 2018
diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample
@@ -310,6 +310,11 @@ REGISTER_EMAIL_CONFIRM = false
 DISABLE_REGISTRATION = false
 ; Allow registration only using third part services, it works only when DISABLE_REGISTRATION is false
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+; Automatically create user accounts for new oauth2 users.
+ENABLE_OAUTH2_AUTO_REGISTRATION = false
+; Whether a new auto registered oauth2 user needs to confirm their email.
+; Do not include to use the REGISTER_EMAIL_CONFIRM setting.
+; OAUTH2_REGISTER_EMAIL_CONFIRM =
 ; User must sign in to view anything.
 REQUIRE_SIGNIN_VIEW = false
 ; Mail notification

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -182,6 +182,10 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
    Requires `Mailer` to be enabled.
 - `DISABLE_REGISTRATION`: **false**: Disable registration, after which only admin can create
    accounts for users.
+- `ENABLE_OAUTH2_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration
+   for oauth2 authentication.
+- `OAUTH2_REGISTER_EMAIL_CONFIRM`: **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable
+   mail confirmation of OAuth2 auto-registration.
 - `REQUIRE_SIGNIN_VIEW`: **false**: Enable this to force users to log in to view any page.
 - `ENABLE_NOTIFY_MAIL`: **false**: Enable this to send e-mail to watchers of a repository when
    something happens, like creating issues. Requires `Mailer` to be enabled.

diff --git a/modules/auth/oauth2/oauth2.go b/modules/auth/oauth2/oauth2.go
@@ -167,7 +167,7 @@ func createProvider(providerName, providerType, clientID, clientSecret, openIDCo
 	case "gplus":
 		provider = gplus.New(clientID, clientSecret, callbackURL, "email")
 	case "openidConnect":
-		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL); err != nil {
+		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.Service.OAuth2OpenIDConnectScopes...); err != nil {
 			log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)
 		}
 	case "twitter":

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
@@ -1203,6 +1203,9 @@ var Service struct {
 	DisableRegistration                     bool
 	AllowOnlyExternalRegistration           bool
 	ShowRegistrationButton                  bool
+	EnableOAuth2AutoRegister                bool
+	OAuth2RegisterEmailConfirm              bool
+	OAuth2OpenIDConnectScopes               []string
 	RequireSignInView                       bool
 	EnableNotifyMail                        bool
 	EnableReverseProxyAuth                  bool
@@ -1233,6 +1236,19 @@ func newService() {
 	Service.DisableRegistration = sec.Key("DISABLE_REGISTRATION").MustBool()
 	Service.AllowOnlyExternalRegistration = sec.Key("ALLOW_ONLY_EXTERNAL_REGISTRATION").MustBool()
 	Service.ShowRegistrationButton = sec.Key("SHOW_REGISTRATION_BUTTON").MustBool(!(Service.DisableRegistration || Service.AllowOnlyExternalRegistration))
+	Service.EnableOAuth2AutoRegister = sec.Key("ENABLE_OAUTH2_AUTO_REGISTRATION").MustBool()
+	Service.OAuth2RegisterEmailConfirm = sec.Key("OAUTH2_REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
+	if !sec.HasKey("OAUTH2_OPENID_CONNECT_SCOPES") && Service.EnableOAuth2AutoRegister {
+		Service.OAuth2OpenIDConnectScopes = []string{"profile", "email"}
+	} else {
+		pats := sec.Key("OAUTH2_OPENID_CONNECT_SCOPES").Strings(" ")
+		Service.OAuth2OpenIDConnectScopes = make([]string, 0, len(pats))
+		for _, scope := range pats {
+			if scope != "" {
+				Service.OAuth2OpenIDConnectScopes = append(Service.OAuth2OpenIDConnectScopes, scope)
+			}
+		}
+	}
 	Service.RequireSignInView = sec.Key("REQUIRE_SIGNIN_VIEW").MustBool()
 	Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
 	Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()

diff --git a/routers/user/auth.go b/routers/user/auth.go
@@ -508,10 +508,10 @@ func SignInOAuth(ctx *context.Context) {
 	}
 
 	// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
-	user, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
+	user, _, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
 	if err == nil && user != nil {
 		// we got the user without going through the whole OAuth2 authentication flow again
-		handleOAuth2SignIn(user, gothUser, ctx, err)
+		handleOAuth2SignIn(ctx, user)
 		return
 	}
 
@@ -540,25 +540,43 @@ func SignInOAuthCallback(ctx *context.Context) {
 
 	u, gothUser, err := oAuth2UserLoginCallback(loginSource, ctx.Req.Request, ctx.Resp)
 
-	handleOAuth2SignIn(u, gothUser, ctx, err)
-}
-
-func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context, err error) {
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)
 		return
 	}
 
 	if u == nil {
-		// no existing user is found, request attach or new account
-		ctx.Session.Set("linkAccountGothUser", gothUser)
-		ctx.Redirect(setting.AppSubURL + "/user/link_account")
-		return
+		if setting.Service.EnableOAuth2AutoRegister {
+			// create new user with details from oauth2 provider
+			u = &models.User{
+				Name:        gothUser.UserID,
+				FullName:    gothUser.Name,
+				Email:       gothUser.Email,
+				IsActive:    !setting.Service.OAuth2RegisterEmailConfirm,
+				LoginType:   models.LoginOAuth2,
+				LoginSource: loginSource.ID,
+				LoginName:   gothUser.UserID,
+			}
+
+			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u) {
+				// error already handled
+				return
+			}
+		} else {
+			// no existing user is found, request attach or new account
+			ctx.Session.Set("linkAccountGothUser", gothUser)
+			ctx.Redirect(setting.AppSubURL + "/user/link_account")
+			return
+		}
 	}
 
+	handleOAuth2SignIn(ctx, u)
+}
+
+func handleOAuth2SignIn(ctx *context.Context, u *models.User) {
 	// If this user is enrolled in 2FA, we can't sign the user in just yet.
 	// Instead, redirect them to the 2FA authentication page.
-	_, err = models.GetTwoFactorByUID(u.ID)
+	_, err := models.GetTwoFactorByUID(u.ID)
 	if err != nil {
 		if models.IsErrTwoFactorNotEnrolled(err) {
 			ctx.Session.Set("uid", u.ID)
@@ -810,49 +828,8 @@ func LinkAccountPostRegister(ctx *context.Context, cpt *captcha.Captcha, form au
 		LoginName:   gothUser.(goth.User).UserID,
 	}
 
-	if err := models.CreateUser(u); err != nil {
-		switch {
-		case models.IsErrUserAlreadyExist(err):
-			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplLinkAccount, &form)
-		case models.IsErrEmailAlreadyUsed(err):
-			ctx.Data["Err_Email"] = true
-			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplLinkAccount, &form)
-		case models.IsErrNameReserved(err):
-			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplLinkAccount, &form)
-		case models.IsErrNamePatternNotAllowed(err):
-			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplLinkAccount, &form)
-		default:
-			ctx.ServerError("CreateUser", err)
-		}
-		return
-	}
-	log.Trace("Account created: %s", u.Name)
-
-	// Auto-set admin for the only user.
-	if models.CountUsers() == 1 {
-		u.IsAdmin = true
-		u.IsActive = true
-		u.SetLastLogin()
-		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {
-			ctx.ServerError("UpdateUser", err)
-			return
-		}
-	}
-
-	// Send confirmation email
-	if setting.Service.RegisterEmailConfirm && u.ID > 1 {
-		models.SendActivateAccountMail(ctx.Context, u)
-		ctx.Data["IsSendRegisterMail"] = true
-		ctx.Data["Email"] = u.Email
-		ctx.Data["ActiveCodeLives"] = base.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
-		ctx.HTML(200, TplActivate)
-
-		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
-			log.Error(4, "Set cache(MailResendLimit) fail: %v", err)
-		}
+	if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u) {
+		// error already handled
 		return
 	}
 
@@ -943,27 +920,64 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 		Passwd:   form.Password,
 		IsActive: !setting.Service.RegisterEmailConfirm,
 	}
+
+	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u) {
+		// error already handled
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("auth.sign_up_successful"))
+	handleSignInFull(ctx, u, false, true)
+}
+
+// CreateAndHandleCreatedUser calls createUserInContext and
+// then handleUserCreated.
+func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *models.User) (ok bool) {
+	ok = createUserInContext(ctx, tpl, form, u)
+	if !ok {
+		return
+	}
+	ok = handleUserCreated(ctx, u)
+	return
+}
+
+// CreateUserInContext creates a user and handles errors within a given context.
+// Optionaly a template can be specified.
+func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *models.User) (ok bool) {
 	if err := models.CreateUser(u); err != nil {
+		// handle error without template
+		if len(tpl) == 0 {
+			ctx.ServerError("CreateUser", err)
+			return
+		}
+
+		// handle error with template
 		switch {
 		case models.IsErrUserAlreadyExist(err):
 			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplSignUp, &form)
+			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tpl, &form)
 		case models.IsErrEmailAlreadyUsed(err):
 			ctx.Data["Err_Email"] = true
-			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignUp, &form)
+			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tpl, &form)
 		case models.IsErrNameReserved(err):
 			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplSignUp, &form)
+			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tpl, &form)
 		case models.IsErrNamePatternNotAllowed(err):
 			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplSignUp, &form)
+			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tpl, &form)
 		default:
 			ctx.ServerError("CreateUser", err)
 		}
 		return
 	}
 	log.Trace("Account created: %s", u.Name)
+	return true
+}
 
+// HandleUserCreated does additional steps after a new user is created.
+// It auto-sets admin for the only user and
+// sends a confirmation email if required.
+func handleUserCreated(ctx *context.Context, u *models.User) (ok bool) {
 	// Auto-set admin for the only user.
 	if models.CountUsers() == 1 {
 		u.IsAdmin = true
@@ -975,8 +989,8 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 		}
 	}
 
-	// Send confirmation email, no need for social account.
-	if setting.Service.RegisterEmailConfirm && u.ID > 1 {
+	// Send confirmation email
+	if !u.IsActive && u.ID > 1 {
 		models.SendActivateAccountMail(ctx.Context, u)
 		ctx.Data["IsSendRegisterMail"] = true
 		ctx.Data["Email"] = u.Email
@@ -989,8 +1003,7 @@ func SignUpPost(ctx *context.Context, cpt *captcha.Captcha, form auth.RegisterFo
 		return
 	}
 
-	ctx.Flash.Success(ctx.Tr("auth.sign_up_successful"))
-	handleSignInFull(ctx, u, false, true)
+	return true
 }
 
 // Activate render activate user page

diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go
@@ -366,33 +366,16 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
 		return
 	}
 
-	// TODO: abstract a finalizeSignUp function ?
 	u := &models.User{
 		Name:     form.UserName,
 		Email:    form.Email,
 		Passwd:   password,
 		IsActive: !setting.Service.RegisterEmailConfirm,
 	}
-	if err := models.CreateUser(u); err != nil {
-		switch {
-		case models.IsErrUserAlreadyExist(err):
-			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplSignUpOID, &form)
-		case models.IsErrEmailAlreadyUsed(err):
-			ctx.Data["Err_Email"] = true
-			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignUpOID, &form)
-		case models.IsErrNameReserved(err):
-			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplSignUpOID, &form)
-		case models.IsErrNamePatternNotAllowed(err):
-			ctx.Data["Err_UserName"] = true
-			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplSignUpOID, &form)
-		default:
-			ctx.ServerError("CreateUser", err)
-		}
+	if !createUserInContext(ctx, tplSignUpOID, form, u) {
+		// error already handled
 		return
 	}
-	log.Trace("Account created: %s", u.Name)
 
 	// add OpenID for the user
 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}
@@ -405,28 +388,8 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
 		return
 	}
 
-	// Auto-set admin for the only user.
-	if models.CountUsers() == 1 {
-		u.IsAdmin = true
-		u.IsActive = true
-		u.SetLastLogin()
-		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {
-			ctx.ServerError("UpdateUser", err)
-			return
-		}
-	}
-
-	// Send confirmation email, no need for social account.
-	if setting.Service.RegisterEmailConfirm && u.ID > 1 {
-		models.SendActivateAccountMail(ctx.Context, u)
-		ctx.Data["IsSendRegisterMail"] = true
-		ctx.Data["Email"] = u.Email
-		ctx.Data["ActiveCodeLives"] = base.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
-		ctx.HTML(200, TplActivate)
-
-		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
-			log.Error(4, "Set cache(MailResendLimit) fail: %v", err)
-		}
+	if !handleUserCreated(ctx, u) {
+		// error already handled
 		return
 	}