Browse Source
Check email-verified on SSO login/create
This commit prevents possible account takeover via SSO which doesn't check/validate or provide validated status of the email.
It was checked at other locations, but was skipped here.
Signed-off-by: BlackDex <black.dex@gmail.com>
BlackDex
4 weeks ago
GPG Key ID:
1 changed files with
27 additions and
1 deletions
src/api/identity.rs
@ -230,7 +230,33 @@ async fn _sso_login(
}
)
}
Some ( ( user , None ) ) = > Some ( ( user , None ) ) ,
Some ( ( user , None ) ) = > match user_infos . email_verified {
None if ! CONFIG . sso_allow_unknown_email_verification ( ) = > {
error ! (
"Login failure ({}), existing non SSO user ({}) with same email ({}) and email verification status is unknown" ,
user_infos . identifier , user . uuid , user . email
) ;
err_silent ! (
"Email verification status is unknown" ,
ErrorEvent {
event : EventType ::UserFailedLogIn
}
)
}
Some ( false ) = > {
error ! (
"Login failure ({}), existing non SSO user ({}) with same email ({}) and email is not verified" ,
user_infos . identifier , user . uuid , user . email
) ;
err_silent ! (
"Email is not verified by the SSO provider" ,
ErrorEvent {
event : EventType ::UserFailedLogIn
}
)
}
_ = > Some ( ( user , None ) ) ,
} ,
} ,
Some ( ( user , sso_user ) ) = > Some ( ( user , Some ( sso_user ) ) ) ,
} ;
BlackDex
4 weeks ago