From 722fe23b4e962cd5bc2b28c42bb9795c9ec907fd Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Tue, 26 Mar 2019 20:38:46 +0000
Subject: [PATCH] FEATURE: Add site setting to override user email address
 during login

---
 config/locales/server.en.yml |  1 +
 config/settings.yml          |  1 +
 plugin.rb                    |  1 +
 spec/plugin_spec.rb          | 23 +++++++++++++++++++++++
 4 files changed, 26 insertions(+)

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 0c22522..dfe5568 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -14,6 +14,7 @@ en:
     oauth2_json_email_path: "Path in the OAuth2 User JSON to the user's email: user.email.primary"
     oauth2_json_avatar_path: "Path in the Oauth2 User JSON to the user's avatar: user.avatar_url"
     oauth2_email_verified: "Check this if the OAuth2 site has verified the email"
+    oauth2_overrides_email: "Override the Discourse email with the remote email on every login"
     oauth2_send_auth_header: "Send the token as an HTTP Authorization header"
     oauth2_debug_auth: "Include rich debugging information in your logs"
     oauth2_authorize_options: "When authorizing request these options"
diff --git a/config/settings.yml b/config/settings.yml
index cf3ab85..9aa693f 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -25,6 +25,7 @@ login:
   oauth2_json_email_path: ''
   oauth2_json_avatar_path: ''
   oauth2_email_verified: false
+  oauth2_overrides_email: false
   oauth2_send_auth_header: true
   oauth2_debug_auth: false
   oauth2_authorize_options:
diff --git a/plugin.rb b/plugin.rb
index 347272d..d8866fd 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -124,6 +124,7 @@ class OAuth2BasicAuthenticator < ::Auth::OAuth2Authenticator
     current_info = ::PluginStore.get("oauth2_basic", "oauth2_basic_user_#{user_details[:user_id]}")
     if current_info
       result.user = User.where(id: current_info[:user_id]).first
+      result.user&.update!(email: result.email) if SiteSetting.oauth2_overrides_email && result.email
     elsif SiteSetting.oauth2_email_verified?
       result.user = User.find_by_email(result.email)
       if result.user && user_details[:user_id]
diff --git a/spec/plugin_spec.rb b/spec/plugin_spec.rb
index 485cf3b..59bf72e 100644
--- a/spec/plugin_spec.rb
+++ b/spec/plugin_spec.rb
@@ -46,6 +46,29 @@ describe OAuth2BasicAuthenticator do
       expect(result.user).to eq(user)
     end
 
+    it 'updated user email if enabled' do
+      authenticator.stubs(:fetch_user_details).returns(email: user.email, user_id: 'id')
+
+      # Create association
+      result = authenticator.after_authenticate(auth)
+      expect(result.user).to eq(user)
+
+      # Change user email on remote system
+      old_email = user.email
+      authenticator.stubs(:fetch_user_details).returns(email: "newemail@example.com", user_id: 'id')
+
+      # Login again - no change
+      result = authenticator.after_authenticate(auth)
+      expect(result.user).to eq(user)
+      expect(result.user.email).to eq(old_email)
+
+      # Enable site setting
+      SiteSetting.oauth2_overrides_email = true
+      result = authenticator.after_authenticate(auth)
+      expect(result.user).to eq(user)
+      expect(result.user.email).to eq("newemail@example.com")
+    end
+
     context 'avatar downloading' do
       before { SiteSetting.queue_jobs = true }