This view uses cursor based pagination but then undermines
that by counting the total number of users so limit the effect
of that but counting a maximum of ten pages of users.
It does not add any additional guards against malicious users:
Malicious user may attempt to invoke `POST /users/new` with bogus
values for `auth_provider` and `auth_uid` resulting
with a new account to which user would have a way to login, other than
sending a password reset request.
In some cases, re-authorization would introduce additional
"Please login to your social account", or "Are you sure you want to be logged in"
popup triggered by identity provider.
This PR removes the re-authorization request from `POST /users/new` in authorization flow.
Fixes the following:
- `users_controller#new` loses referer in authorization scenario, when it was invoked after social signup succeded
- the second invocation of `auth_success`, triggered by re-authorization initiated from `users_controller#create`
does not have referrer field set
- as a result, the final welcome screen does not offer final authorization, and drops into ID instead
Introduced by #4758.
Replace login.live.com with login.microsoftonline.com in CSP allow list.
The URL changed with the move from using the omniauth-windowslive plugin
to the omniauth-microsoft_graph plugin but wasn't noticed until now.
Only show the duplicate email message if we actually have errors
logged against the email field, and then show it as a warning.
In all other cases we show the generic informational hint about
social logins and pre-existing accounts.
- Add preferred provider for authorization to login and signup pages.
To use, the 3rd party application would have to add `preferred_provider=...`
parameter to OAuth2 authorization request.
- Resize 3rd party provider icons
- Add "login to authorize" heading to login and signup screens
Omniauth-microsoft_graph correctly populates 'email' and 'name' fields used by OpenStreetMap.
It also uses updated endpoints for Microsoft identity provider.
Use email address returned by microsoft_graph provider as a verified address.
Upgrading exisiting users from windowslive to microsoft_graph:
- upon next login existing `windowslive` users will have to authorizei
OpenStreetMap application to "Read Your Profile," required for proper reading
of display name field.
The name of the identity provider in OSM is kept to 'windowslive':
- the entries in users table with `provider == 'windowslive'`
can be reused for microsoft_graph provider, since
the uid field is preserved. Users will not need to repeat the sign up process.
- OAuth2 callback is still `/auth/windowslive`, no updates to Microsoft Identity Provider portal
App registration are necessary.
