Use only verified email address to prevent fake email address

Co-authored-by: David Taylor <david@taylorhq.com>
nhosoya · Dec 2, 2020 · b37d540 · b37d540
1 parent 45cf13d
commit b37d540
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/lib/omniauth/strategies/apple.rb b/lib/omniauth/strategies/apple.rb
@@ -104,7 +104,7 @@ def user_info
       end
 
       def email
-        user_info['email'] || id_info['email']
+        id_info['email']
       end
 
       def first_name

diff --git a/spec/omniauth/strategies/apple_spec.rb b/spec/omniauth/strategies/apple_spec.rb
@@ -252,6 +252,21 @@
       end
     end
 
+    context 'with a spoofed email in the user payload' do
+      before do
+        request.params['user'] = {
+          name: {
+            firstName: 'first',
+            lastName: 'last'
+          },
+          email: "spoofed@example.com"
+        }.to_json
+      end
+
+      it 'should return the true email' do
+        expect(subject.info[:email]).to eq('something@privatrerelay.appleid.com')
+      end
+    end
   end
 
   describe '#extra' do