Password fails validation with Google (OpenID) Auth


(Sam Bauch) #1

So I’ve definitely made some changes to Discourse’s registration flow to better fit my needs, but a new bug introduced itself recently and I wanted to double check whether it was actually a bug.

My belief was that the design pattern for registration using oAuth credentials would not require a password. That’s sort of the point right, that you don’t have passwords for things all over the internet, but just use your authentication from a common provider?

However I’m getting a password validation failure on creating an account via google apps oauth - that the password is too short.

It looks like 155 of users_controller.rb is the culprit:

user.password_required! unless auth

commenting that out seemed to fix the problem, but I think changing it to something like

user.password_required! unless valid_session_authentication?(auth, params[:email])

might be the better course of action?


(Neil Lalonde) #2

This sounds like a problem that people were having when running Discourse on Heroku. Sounds to me like the session is being lost along the way.

What does Discourse.current_hostname return for you on your server?


(Sam Bauch) #3

Ah, yes, I am deployed on heroku, and the hostname is returning the raw aws address as reported in that other thread.

The curious bit is that if i puts the session values as well as the result of valid_session_authentication? as such in the create action on the users_controller:

user = User.new_from_params(params)
auth = session[:authentication]
puts 'auth' + auth.to_s
puts 'valid?' + valid_session_authentication?(auth, params[:email]).to_s

my logs show:

2013-04-22T19:49:05.017106+00:00 app[web.1]: Started POST "/users" for 74.113.164.98 at 2013-04-22 19:49:05 +0000
2013-04-22T19:49:05.038546+00:00 app[web.1]: auth{:email=>"vatest1@vaynermedia.com", :email_valid=>true, :openid_url=>nil}
2013-04-22T19:49:05.038546+00:00 app[web.1]: valid?true
2013-04-22T19:49:06.136209+00:00 app[web.1]: Processing by UsersController#create as JSON
2013-04-22T19:49:06.136209+00:00 app[web.1]:   Parameters: {"name"=>"Vaynerapps Testone", "email"=>"vatest1@vaynermedia.com", "username"=>"VaynerappsTestone", "password_confirmation"=>"[FILTERED]", "challenge"=>"b2cc760c4779103"}
2013-04-22T19:49:06.136209+00:00 app[web.1]: Completed 200 OK in 1107ms (Views: 0.4ms | ActiveRecord: 347.3ms)

This allowed the user to complete creation with my above fix the first time I’ve tested it. But then it also worked with the unless auth conditional too.

Frustrating in that it seems to work sometimes and not others. I figure we can close this considering it’s pretty much a duplicate, my apologies.

For now, since I only allow Google registrations, I’m just going to leave password_required! commented out.


(Jeff Atwood) #4

Is this still an issue in current versions?


(Jeff Atwood) #5