mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-03 07:56:29 +02:00
4e5f43896e
## Summary This fixes an OIDC sign-in edge case where a stale `external_login_user` record can still point to an organization or a deleted user. In that situation, Gitea may keep resolving the external login to the wrong account during sign-in. For affected instances, this matches the behavior reported in #36439 and #37812, where a user signing in with OIDC/Entra ID could appear as an organization, or hit a 404 after that organization was removed. ## What changed - validate the user resolved from `external_login_user` during OAuth2/OIDC login - ignore stale links when the linked user no longer exists - ignore stale links when the linked user is not an individual user - remove the stale external login row so the sign-in flow can relink the external account to the correct user ## Related - Fixes #37812 - Related to #36439 --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>
92 lines
2.3 KiB
Go
92 lines
2.3 KiB
Go
// Copyright 2024 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package oauth2
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"gitea.dev/models/auth"
|
|
"gitea.dev/models/unittest"
|
|
user_model "gitea.dev/models/user"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestSource(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
source := &Source{
|
|
Provider: "fake",
|
|
ConfigBase: auth.ConfigBase{
|
|
AuthSource: &auth.Source{
|
|
ID: 12,
|
|
Type: auth.OAuth2,
|
|
Name: "fake",
|
|
IsActive: true,
|
|
IsSyncEnabled: true,
|
|
},
|
|
},
|
|
}
|
|
|
|
user := &user_model.User{
|
|
LoginName: "external",
|
|
LoginType: auth.OAuth2,
|
|
LoginSource: source.AuthSource.ID,
|
|
Name: "test",
|
|
Email: "external@example.com",
|
|
}
|
|
|
|
err := user_model.CreateUser(t.Context(), user, &user_model.Meta{}, &user_model.CreateUserOverwriteOptions{})
|
|
assert.NoError(t, err)
|
|
|
|
e := &user_model.ExternalLoginUser{
|
|
ExternalID: "external",
|
|
UserID: user.ID,
|
|
LoginSourceID: user.LoginSource,
|
|
RefreshToken: "valid",
|
|
}
|
|
err = user_model.LinkExternalToUser(t.Context(), user, e)
|
|
assert.NoError(t, err)
|
|
|
|
provider, err := createProvider(source.AuthSource.Name, source)
|
|
assert.NoError(t, err)
|
|
|
|
t.Run("refresh", func(t *testing.T) {
|
|
t.Run("valid", func(t *testing.T) {
|
|
err := source.refresh(t.Context(), provider, e)
|
|
assert.NoError(t, err)
|
|
|
|
e, ok, err := user_model.GetExternalLogin(t.Context(), e.LoginSourceID, e.ExternalID)
|
|
assert.NoError(t, err)
|
|
assert.True(t, ok)
|
|
assert.Equal(t, "refresh", e.RefreshToken)
|
|
assert.Equal(t, "token", e.AccessToken)
|
|
|
|
u, err := user_model.GetUserByID(t.Context(), user.ID)
|
|
assert.NoError(t, err)
|
|
assert.True(t, u.IsActive)
|
|
})
|
|
|
|
t.Run("expired", func(t *testing.T) {
|
|
err := source.refresh(t.Context(), provider, &user_model.ExternalLoginUser{
|
|
ExternalID: "external",
|
|
UserID: user.ID,
|
|
LoginSourceID: user.LoginSource,
|
|
RefreshToken: "expired",
|
|
})
|
|
assert.NoError(t, err)
|
|
|
|
e, ok, err := user_model.GetExternalLogin(t.Context(), e.LoginSourceID, e.ExternalID)
|
|
assert.NoError(t, err)
|
|
assert.True(t, ok)
|
|
assert.Empty(t, e.RefreshToken)
|
|
assert.Empty(t, e.AccessToken)
|
|
|
|
u, err := user_model.GetUserByID(t.Context(), user.ID)
|
|
assert.NoError(t, err)
|
|
assert.False(t, u.IsActive)
|
|
})
|
|
})
|
|
}
|