SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[bug] Fix OIDC users requiring second approval (#371)

Browse Source 
* tidy up NewSignup
* pre-approve users created via OIDC
This commit is contained in:
tobi
2022-01-31 16:03:47 +01:00
committed by GitHub
parent 5be8a7a7ea
commit 18e7537393
2 changed files with 21 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/api/client/auth/callback.go
View File

@ -30,8 +30,6 @@ import (
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/spf13/viper"
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/oidc"
@ -206,19 +204,27 @@ func (m *Module) parseUserFromClaims(ctx context.Context, claims *oidc.Claims, i
}
}
// we still need to set *a* password even if it's not a password the user will end up using, so set something random
// in this case, we'll just set two uuids on top of each other, which should be long + random enough to baffle any attempts to crack.
// We still need to set *a* password even if it's not a password the user will end up using, so set something random.
// We'll just set two uuids on top of each other, which should be long + random enough to baffle any attempts to crack.
//
// if the user ever wants to log in using gts password rather than oidc flow, they'll have to request a password reset, which is fine
// If the user ever wants to log in using gts password rather than oidc flow, they'll have to request a password reset, which is fine
password := uuid.NewString() + uuid.NewString()
// Since this user is created via oidc, which has been set up by the admin, we can assume that the account is already
// implicitly approved, and that the email address has already been verified: otherwise, we end up in situations where
// the admin first approves the user in OIDC, and then has to approve them again in GoToSocial, which doesn't make sense.
//
// In other words, if a user logs in via OIDC, they should be able to use their account straight away.
//
// See: https://github.com/superseriousbusiness/gotosocial/issues/357
requireApproval := false
emailVerified := true
// create the user! this will also create an account and store it in the database so we don't need to do that here
requireApproval := viper.GetBool(config.Keys.AccountsApprovalRequired)
user, err = m.db.NewSignup(ctx, username, "", requireApproval, claims.Email, password, ip, "", appID, claims.EmailVerified, admin)
user, err = m.db.NewSignup(ctx, username, "", requireApproval, claims.Email, password, ip, "", appID, emailVerified, admin)
if err != nil {
return nil, fmt.Errorf("error creating user: %s", err)
}
return user, nil
}