FIX: Clear authentication data from session after create account (#8040)

FIX: Clear authentication data from session after create account (#8040)

diff --git a/app/services/user_authenticator.rb b/app/services/user_authenticator.rb
index c2361f6..d988300 100644
--- a/app/services/user_authenticator.rb
+++ b/app/services/user_authenticator.rb
@@ -4,7 +4,8 @@ class UserAuthenticator
 
   def initialize(user, session, authenticator_finder = Users::OmniauthCallbacksController)
     @user = user
-    @session = session[:authentication]
+    @session = session
+    @auth_session = session[:authentication]
     @authenticator_finder = authenticator_finder
   end
 
@@ -15,7 +16,7 @@ class UserAuthenticator
       @user.password_required!
     end
 
-    @user.skip_email_validation = true if @session && @session[:skip_email_validation].present?
+    @user.skip_email_validation = true if @auth_session && @auth_session[:skip_email_validation].present?
   end
 
   def has_authenticator?
@@ -24,18 +25,18 @@ class UserAuthenticator
 
   def finish
     if authenticator
-      authenticator.after_create_account(@user, @session)
+      authenticator.after_create_account(@user, @auth_session)
       confirm_email
     end
-    @session = nil
+    @session[:authentication] = @auth_session = nil if @auth_session
   end
 
   def email_valid?
-    @session && @session[:email_valid]
+    @auth_session && @auth_session[:email_valid]
   end
 
   def authenticated?
-    @session && @session[:email]&.downcase == @user.email.downcase && @session[:email_valid].to_s == "true"
+    @auth_session && @auth_session[:email]&.downcase == @user.email.downcase && @auth_session[:email_valid].to_s == "true"
   end
 
   private
@@ -54,7 +55,7 @@ class UserAuthenticator
   end
 
   def authenticator_name
-    @session && @session[:authenticator_name]
+    @auth_session && @auth_session[:authenticator_name]
   end
 
 end
diff --git a/spec/services/user_authenticator_spec.rb b/spec/services/user_authenticator_spec.rb
index b54f282..7ee4543 100644
--- a/spec/services/user_authenticator_spec.rb
+++ b/spec/services/user_authenticator_spec.rb
@@ -57,5 +57,15 @@ describe UserAuthenticator do
       expect(user.email_confirmed?).to be_falsey
       expect(group.usernames).not_to include(user.username)
     end
+
+    it "clears the authentication info from the session" do
+      user = Fabricate(:user, email: "user53@discourse.org")
+      session = { authentication: github_auth(true) }
+
+      UserAuthenticator.new(user, session).finish
+      expect(user.email_confirmed?).to be_truthy
+
+      expect(session[:authentication]).to eq(nil)
+    end
   end
 end

GitHub sha: 73172f00

1 Like