2018-09-23 19:44:14 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2014-12-19 14:15:29 +00:00
|
|
|
class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
|
2019-10-18 21:06:37 +00:00
|
|
|
include Gitlab::Experimentation::ControllerConcern
|
2019-12-11 12:08:10 +00:00
|
|
|
include InitializesCurrentUserMode
|
|
|
|
|
2021-01-14 15:10:46 +00:00
|
|
|
before_action :verify_confirmed_email!, :verify_confidential_application!
|
2020-05-27 21:08:05 +00:00
|
|
|
|
2015-05-01 08:39:11 +00:00
|
|
|
layout 'profile'
|
2014-12-19 14:15:29 +00:00
|
|
|
|
2018-10-30 10:53:01 +00:00
|
|
|
# Overridden from Doorkeeper::AuthorizationsController to
|
2016-12-09 17:37:18 +00:00
|
|
|
# include the call to session.delete
|
2014-12-19 14:15:29 +00:00
|
|
|
def new
|
|
|
|
if pre_auth.authorizable?
|
|
|
|
if skip_authorization? || matching_token?
|
|
|
|
auth = authorization.authorize
|
2016-02-19 13:22:06 +00:00
|
|
|
session.delete(:user_return_to)
|
2014-12-19 14:15:29 +00:00
|
|
|
redirect_to auth.redirect_uri
|
|
|
|
else
|
|
|
|
render "doorkeeper/authorizations/new"
|
|
|
|
end
|
|
|
|
else
|
|
|
|
render "doorkeeper/authorizations/error"
|
|
|
|
end
|
|
|
|
end
|
2020-05-27 21:08:05 +00:00
|
|
|
|
2021-01-14 15:10:46 +00:00
|
|
|
private
|
|
|
|
|
|
|
|
# Confidential apps require the client_secret to be sent with the request.
|
|
|
|
# Doorkeeper allows implicit grant flow requests (response_type=token) to
|
|
|
|
# work without client_secret regardless of the confidential setting.
|
|
|
|
# This leads to security vulnerabilities and we want to block it.
|
|
|
|
def verify_confidential_application!
|
|
|
|
render 'doorkeeper/authorizations/error' if authorizable_confidential?
|
2021-01-07 18:10:38 +00:00
|
|
|
end
|
|
|
|
|
2021-01-14 15:10:46 +00:00
|
|
|
def authorizable_confidential?
|
|
|
|
pre_auth.authorizable? && pre_auth.response_type == 'token' && pre_auth.client.application.confidential
|
|
|
|
end
|
2020-05-27 21:08:05 +00:00
|
|
|
|
|
|
|
def verify_confirmed_email!
|
|
|
|
return if current_user&.confirmed?
|
|
|
|
|
|
|
|
pre_auth.error = :unconfirmed_email
|
|
|
|
render "doorkeeper/authorizations/error"
|
|
|
|
end
|
2014-12-19 14:15:29 +00:00
|
|
|
end
|