Merge pull request from GHSA-vm39-j3vx-pch3

* Prevent different identities from a same SSO provider from accessing a same account * Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true` * Rename methods to avoid confusion between OAuth and OmniAuth
2024-02-14 15:16:07 +01:00 · 2024-02-14 15:16:07 +01:00 · f1700523f1
commit f1700523f1
parent 0b0c7af2c1
5 changed files with 44 additions and 20 deletions
--- a/spec/models/identity_spec.rb
+++ b/spec/models/identity_spec.rb
@ -3,16 +3,16 @@
 require 'rails_helper'

 RSpec.describe Identity do
-  describe '.find_for_oauth' do
+  describe '.find_for_omniauth' do
    let(:auth) { Fabricate(:identity, user: Fabricate(:user)) }

    it 'calls .find_or_create_by' do
      expect(described_class).to receive(:find_or_create_by).with(uid: auth.uid, provider: auth.provider)
-      described_class.find_for_oauth(auth)
+      described_class.find_for_omniauth(auth)
    end

    it 'returns an instance of Identity' do
-      expect(described_class.find_for_oauth(auth)).to be_instance_of described_class
+      expect(described_class.find_for_omniauth(auth)).to be_instance_of described_class
    end
  end
 end
--- a/spec/requests/omniauth_callbacks_spec.rb
+++ b/spec/requests/omniauth_callbacks_spec.rb
@ -96,7 +96,7 @@ describe 'OmniAuth callbacks' do

    context 'when a user cannot be built' do
      before do
-        allow(User).to receive(:find_for_oauth).and_return(User.new)
+        allow(User).to receive(:find_for_omniauth).and_return(User.new)
      end

      it 'redirects to the new user signup page' do