It does not add any additional guards against malicious users:
Malicious user may attempt to invoke `POST /users/new` with bogus
values for `auth_provider` and `auth_uid` resulting
with a new account to which user would have a way to login, other than
sending a password reset request.
In some cases, re-authorization would introduce additional
"Please login to your social account", or "Are you sure you want to be logged in"
popup triggered by identity provider.
This PR removes the re-authorization request from `POST /users/new` in authorization flow.
Fixes the following:
- `users_controller#new` loses referer in authorization scenario, when it was invoked after social signup succeded
- the second invocation of `auth_success`, triggered by re-authorization initiated from `users_controller#create`
does not have referrer field set
- as a result, the final welcome screen does not offer final authorization, and drops into ID instead
Introduced by #4758.
Replace login.live.com with login.microsoftonline.com in CSP allow list.
The URL changed with the move from using the omniauth-windowslive plugin
to the omniauth-microsoft_graph plugin but wasn't noticed until now.
Only show the duplicate email message if we actually have errors
logged against the email field, and then show it as a warning.
In all other cases we show the generic informational hint about
social logins and pre-existing accounts.
- Add preferred provider for authorization to login and signup pages.
To use, the 3rd party application would have to add `preferred_provider=...`
parameter to OAuth2 authorization request.
- Resize 3rd party provider icons
- Add "login to authorize" heading to login and signup screens
Omniauth-microsoft_graph correctly populates 'email' and 'name' fields used by OpenStreetMap.
It also uses updated endpoints for Microsoft identity provider.
Use email address returned by microsoft_graph provider as a verified address.
Upgrading exisiting users from windowslive to microsoft_graph:
- upon next login existing `windowslive` users will have to authorizei
OpenStreetMap application to "Read Your Profile," required for proper reading
of display name field.
The name of the identity provider in OSM is kept to 'windowslive':
- the entries in users table with `provider == 'windowslive'`
can be reused for microsoft_graph provider, since
the uid field is preserved. Users will not need to repeat the sign up process.
- OAuth2 callback is still `/auth/windowslive`, no updates to Microsoft Identity Provider portal
App registration are necessary.
The user status is a bit complex, since there are various states and
not all transitions between them make sense.
Using AASM means that we can name and restrict the transitions, which
hopefully makes them easier to reason about.
"delete" is generally used for immediate SQL deletion without running
any callbacks or other ruby code, whereas "destroy" will trigger callbacks.
Although we don't currently use any callbacks, let's rename this method to
align better with the convention.
