Merge branch 'sh-fix-500-error-unconfirmed-user' into 'master'

Fix 500 error when unconfirmed user with 2FA logs in with OAuth2 Closes #232611 See merge request gitlab-org/gitlab!38104

Merge branch 'sh-fix-500-error-unconfirmed-user' into 'master'
Fix 500 error when unconfirmed user with 2FA logs in with OAuth2 Closes #232611 See merge request gitlab-org/gitlab!38104
62848d57 · Jarka Košanová · 85417741 · f2883f40 · 62848d57 · 62848d57
Commit 62848d57 authored Jul 29, 2020 by Jarka Košanová
4 changed files
--- a/app/controllers/concerns/authenticates_with_two_factor.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor.rb
@@ -33,9 +33,7 @@ module AuthenticatesWithTwoFactor
  end

  def locked_user_redirect(user)
-    flash.now[:alert] = locked_user_redirect_alert(user)
-
-    render 'devise/sessions/new'
+    redirect_to new_user_session_path, alert: locked_user_redirect_alert(user)
  end

  def authenticate_with_two_factor
@@ -54,7 +52,13 @@ module AuthenticatesWithTwoFactor
  private

  def locked_user_redirect_alert(user)
-    user.access_locked? ? _('Your account is locked.') : _('Invalid Login or password')
+    if user.access_locked?
+      _('Your account is locked.')
+    elsif !user.confirmed?
+      I18n.t('devise.failure.unconfirmed')
+    else
+      _('Invalid Login or password')
+    end
  end

  def clear_two_factor_attempt!

--- a/changelogs/unreleased/sh-fix-500-error-unconfirmed-user.yml
+++ b/changelogs/unreleased/sh-fix-500-error-unconfirmed-user.yml
+---
+title: Fix 500 error when unconfirmed OAuth2 user with 2FA logs in
+merge_request: 38104
+author:
+type: fixed
--- a/spec/controllers/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/omniauth_callbacks_controller_spec.rb
@@ -181,6 +181,23 @@ RSpec.describe OmniauthCallbacksController, type: :controller do
          end
        end

+        context 'when user with 2FA is unconfirmed' do
+          render_views
+
+          let(:user) { create(:omniauth_user, :two_factor, extern_uid: 'my-uid', provider: provider) }
+
+          before do
+            user.update_column(:confirmed_at, nil)
+          end
+
+          it 'redirects to login page' do
+            post provider
+
+            expect(response).to redirect_to(new_user_session_path)
+            expect(flash[:alert]).to match(/You have to confirm your email address before continuing./)
+          end
+        end
+
        context 'sign up' do
          include_context 'sign_up'


--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -399,7 +399,7 @@ RSpec.describe SessionsController do
              end

              it 'warns about invalid login' do
-                expect(response).to set_flash.now[:alert].to /Your account is locked./
+                expect(flash[:alert]).to eq('Your account is locked.')
              end

              it 'locks the user' do
@@ -409,7 +409,7 @@ RSpec.describe SessionsController do
              it 'keeps the user locked on future login attempts' do
                post(:create, params: { user: { login: user.username, password: user.password } })

-                expect(response).to set_flash.now[:alert].to /Your account is locked./
+                expect(flash[:alert]).to eq('Your account is locked.')
              end
            end
          end