0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-01-09 00:10:11 -05:00

Trust oidc providers which provides email_verified claim

This commit is contained in:
Andrey Antukh 2024-03-26 12:47:54 +01:00 committed by Andrés Moya
parent 7e20cf10c5
commit a969550aa4
2 changed files with 18 additions and 13 deletions

View file

@ -520,17 +520,22 @@
(redirect-response uri)))
(defn- provider-matches-profile?
[{:keys [::provider] :as cfg} {:keys [props] :as profile}]
(or (= (:auth-backend profile) (:name provider))
(let [email-prop (qualify-prop-key provider :email)]
(contains? props email-prop))))
(defn- provider-has-email-verified?
[{:keys [::provider] :as cfg} {:keys [props] :as info}]
(let [prop (qualify-prop-key provider :email_verified)]
(true? (get props prop))))
(defn- profile-has-provider-props?
[{:keys [::provider] :as cfg} profile]
(let [prop (qualify-prop-key provider :email)]
(contains? (:props profile) prop)))
(defn- provider-matches-profile?
[{:keys [::provider] :as cfg} profile info]
(or (= (:auth-backend profile) (:name provider))
(profile-has-provider-props? cfg profile)
(provider-has-email-verified? cfg info)))
(defn- process-callback
[cfg request info profile]
(cond
@ -539,7 +544,7 @@
(:is-blocked profile)
(redirect-with-error "profile-blocked")
(not (provider-matches-profile? cfg profile))
(not (provider-matches-profile? cfg profile info))
(redirect-with-error "auth-provider-not-allowed")
(not (:is-active profile))

View file

@ -83,17 +83,17 @@
(defmethod process-token :auth
[{:keys [conn] :as cfg} _params {:keys [profile-id] :as claims}]
(let [profile (profile/get-profile conn profile-id {::sql/for-update true})
props (merge (:props profile)
(:props claims))
profile (assoc profile :props props)]
(let [profile (profile/get-profile conn profile-id {::sql/for-update true})
props (merge (:props profile)
(:props claims))]
(when (not= props (:props profile))
(db/update! conn :profile
{:props (db/tjson props)}
{:id profile-id}))
(assoc claims :profile profile)))
(let [profile (assoc profile :props props)]
(assoc claims :profile profile))))
;; --- Team Invitation