Merge branch 'fix/auth0-unsafe-login-10-5' into 'security-10-5'

[10.5] Fix GitLab Auth0 integration signs in the wrong user See merge request gitlab/gitlabhq!2353
author: James Lopez <james@gitlab.com> 2018-03-15 14:59:21 +0000
committer: Mark Fletcher <mark@gitlab.com> 2018-03-16 12:57:58 +0000
commit: 7fca314680776995b4e6858b55001a4bf56bf17a (patch)
tree: b00df8878203d7e19fb8e7e5902a0fe8e86e6478 /app
parent: 254529300eeb0a11e50e0b2ebc1abecf9908f13e (diff)
download: gitlab-ce-7fca314680776995b4e6858b55001a4bf56bf17a.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 83c9a3f035e..fecc3145833 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -95,6 +95,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     handle_omniauth
   end
 
+  def auth0
+    if oauth['uid'].blank?
+      fail_auth0_login
+    else
+      handle_omniauth
+    end
+  end
+
   private
 
   def handle_omniauth
@@ -170,6 +178,12 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     redirect_to new_user_session_path
   end
 
+  def fail_auth0_login
+    flash[:alert] = 'Wrong extern UID provided. Make sure Auth0 is configured correctly.'
+
+    redirect_to new_user_session_path
+  end
+
   def handle_disabled_provider
     label = Gitlab::OAuth::Provider.label_for(oauth['provider'])
     flash[:alert] = "Signing in using #{label} has been disabled"
author	James Lopez <james@gitlab.com>	2018-03-15 14:59:21 +0000
committer	Mark Fletcher <mark@gitlab.com>	2018-03-16 12:57:58 +0000
commit	7fca314680776995b4e6858b55001a4bf56bf17a (patch)
tree	b00df8878203d7e19fb8e7e5902a0fe8e86e6478 /app
parent	254529300eeb0a11e50e0b2ebc1abecf9908f13e (diff)
download	gitlab-ce-7fca314680776995b4e6858b55001a4bf56bf17a.tar.gz