✨ Trust oidc providers which provides email_verified claim

2025-01-09 08:20:45 -05:00 · 2024-03-26 12:47:54 +01:00 · 2024-03-26 12:47:54 +01:00 · a969550aa4
commit a969550aa4
parent 7e20cf10c5
2 changed files with 18 additions and 13 deletions
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -520,17 +520,22 @@
    (redirect-response uri)))
 (defn- provider-matches-profile?
  [{:keys [::provider] :as cfg} {:keys [props] :as profile}]
  (or (= (:auth-backend profile) (:name provider))
      (let [email-prop (qualify-prop-key provider :email)]
        (contains? props email-prop))))
 (defn- provider-has-email-verified?
  [{:keys [::provider] :as cfg} {:keys [props] :as info}]
  (let [prop (qualify-prop-key provider :email_verified)]
    (true? (get props prop))))
 (defn- profile-has-provider-props?
  [{:keys [::provider] :as cfg} profile]
  (let [prop (qualify-prop-key provider :email)]
    (contains? (:props profile) prop)))
 (defn- provider-matches-profile?
  [{:keys [::provider] :as cfg} profile info]
  (or (= (:auth-backend profile) (:name provider))
      (profile-has-provider-props? cfg profile)
      (provider-has-email-verified? cfg info)))
 (defn- process-callback
  [cfg request info profile]
  (cond
@ -539,7 +544,7 @@
      (:is-blocked profile)
      (redirect-with-error "profile-blocked")
-      (not (provider-matches-profile? cfg profile))
+      (not (provider-matches-profile? cfg profile info))
      (redirect-with-error "auth-provider-not-allowed")
      (not (:is-active profile))
--- a/backend/src/app/rpc/commands/verify_token.clj
+++ b/backend/src/app/rpc/commands/verify_token.clj
@ -83,17 +83,17 @@
 (defmethod process-token :auth
  [{:keys [conn] :as cfg} _params {:keys [profile-id] :as claims}]
-  (let [profile (profile/get-profile conn profile-id {::sql/for-update true})
+  (let [profile  (profile/get-profile conn profile-id {::sql/for-update true})
-        props   (merge (:props profile)
+        props    (merge (:props profile)
-                       (:props claims))
+                        (:props claims))]
        profile (assoc profile :props props)]
    (when (not= props (:props profile))
      (db/update! conn :profile
                  {:props (db/tjson props)}
                  {:id profile-id}))
-    (assoc claims :profile profile)))
+
    (let [profile (assoc profile :props props)]
      (assoc claims :profile profile))))
 ;; --- Team Invitation