Class: Auth::GoogleOAuth2Authenticator

Inherits:

ManagedAuthenticator

• Object
• Authenticator
• ManagedAuthenticator
• Auth::GoogleOAuth2Authenticator

Defined in:

lib/auth/google_oauth2_authenticator.rb

Instance Method Summary

• #after_authenticate(auth_token, existing_account: nil) ⇒ Object
• #enabled? ⇒ Boolean
• #name ⇒ Object
• #primary_email_verified?(auth_token) ⇒ Boolean
• #provides_groups? ⇒ Boolean
• #register_middleware(omniauth) ⇒ Object

Methods inherited from ManagedAuthenticator

#after_create_account, #always_update_user_email?, #can_connect_existing_user?, #can_revoke?, #description_for_auth_hash, #description_for_user, #find_user_by_email, #find_user_by_username, #is_managed?, #match_by_email, #match_by_username, #retrieve_avatar, #retrieve_profile, #revoke

Methods inherited from Authenticator

#after_create_account, #can_connect_existing_user?, #can_revoke?, #description_for_auth_hash, #description_for_user, #revoke

Instance Method Details

#after_authenticate(auth_token, existing_account: nil) ⇒ Object

# File 'lib/auth/google_oauth2_authenticator.rb', line 49

def after_authenticate(auth_token, existing_account: nil)
  groups = provides_groups? ? raw_groups(auth_token.uid) : nil
  auth_token.extra[:raw_groups] = groups if groups

  result = super

  if groups
    result.associated_groups =
      groups.map { |group| group.with_indifferent_access.slice(:id, :name) }
  end

  result
end

#enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/google_oauth2_authenticator.rb', line 13

def enabled?
  SiteSetting.enable_google_oauth2_logins
end

#name ⇒ Object

# File 'lib/auth/google_oauth2_authenticator.rb', line 9

def name
  "google_oauth2"
end

#primary_email_verified?(auth_token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/google_oauth2_authenticator.rb', line 17

def primary_email_verified?(auth_token)
  # note, emails that come back from google via omniauth are always valid
  # this protects against future regressions
  auth_token[:extra][:raw_info][:email_verified]
end

#provides_groups? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/auth/google_oauth2_authenticator.rb', line 63

def provides_groups?
  SiteSetting.google_oauth2_hd.present? && SiteSetting.google_oauth2_hd_groups &&
    SiteSetting.google_oauth2_hd_groups_service_account_admin_email.present? &&
    SiteSetting.google_oauth2_hd_groups_service_account_json.present?
end

#register_middleware(omniauth) ⇒ Object

# File 'lib/auth/google_oauth2_authenticator.rb', line 23

def register_middleware(omniauth)
  options = {
    setup:
      lambda do |env|
        strategy = env["omniauth.strategy"]
        strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
        strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret

        if (google_oauth2_hd = SiteSetting.google_oauth2_hd).present?
          strategy.options[:hd] = google_oauth2_hd
        end

        if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
          strategy.options[:prompt] = google_oauth2_prompt.gsub("|", " ")
        end

        # All the data we need for the `info` and `credentials` auth hash
        # are obtained via the user info API, not the JWT. Using and verifying
        # the JWT can fail due to clock skew, so let's skip it completely.
        # https://github.com/zquestz/omniauth-google-oauth2/pull/392
        strategy.options[:skip_jwt] = true
      end,
  }
  omniauth.provider :google_oauth2, options
end