FIX: Accept strings for the email_verified token

This is technically a spec violation, but many providers do this so we should check for the string 'true'
2020-07-10 16:49:32 +01:00 · 2020-07-10 16:49:32 +01:00 · 9ada9528e8
parent 20c835ea06
commit 9ada9528e8
2 changed files with 18 additions and 1 deletions
--- a/lib/openid_connect_authenticator.rb
+++ b/lib/openid_connect_authenticator.rb
@ -19,7 +19,12 @@ class OpenIDConnectAuthenticator < Auth::ManagedAuthenticator
  def primary_email_verified?(auth)
    supplied_verified_boolean = auth['extra']['raw_info']['email_verified']
    # If the payload includes the email_verified boolean, use it. Otherwise assume true
-    supplied_verified_boolean.nil? ? true : supplied_verified_boolean
+    if supplied_verified_boolean.nil?
+      true
+    else
+      # Many providers violate the spec, and send this as a string rather than a boolean
+      supplied_verified_boolean == true || supplied_verified_boolean == 'true'
+    end
  end

  def always_update_user_email?
--- a/spec/lib/openid_connect_authenticator_spec.rb
+++ b/spec/lib/openid_connect_authenticator_spec.rb
@ -37,6 +37,12 @@ describe OpenIDConnectAuthenticator do
      result = authenticator.after_authenticate(hash)
      expect(result.user).to eq(user)
    end
+
+    it 'matches the user as a true string' do
+      hash[:extra][:raw_info][:email_verified] = 'true'
+      result = authenticator.after_authenticate(hash)
+      expect(result.user).to eq(user)
+    end
  end

  context "when email_verified is false" do
@ -45,6 +51,12 @@ describe OpenIDConnectAuthenticator do
      result = authenticator.after_authenticate(hash)
      expect(result.user).to eq(nil)
    end
+
+    it 'does not match the user as a false string' do
+      hash[:extra][:raw_info][:email_verified] = 'false'
+      result = authenticator.after_authenticate(hash)
+      expect(result.user).to eq(nil)
+    end
  end

 end