oauth: github: handle private email

3 years ago · 5182031bca
parent f186278a5a
commit 5182031bca
5 changed files with 18 additions and 5 deletions
--- a/packages/hydrooj/package.json
+++ b/packages/hydrooj/package.json
@ -1,6 +1,6 @@
 {
    "name": "hydrooj",
-    "version": "3.4.13",
+    "version": "3.4.14",
    "bin": "bin/hydrooj.js",
    "main": "src/loader",
    "module": "src/loader",
--- a/packages/hydrooj/src/handler/user.ts
+++ b/packages/hydrooj/src/handler/user.ts
@ -381,6 +381,8 @@ class OauthCallbackHandler extends Handler {
            let username = '';
            r.uname = r.uname || [];
            r.uname.push(String.random(16));
+            const mailDomain = r.email.split('@')[1];
+            if (await BlackListModel.get(`mail::${mailDomain}`)) throw new BlacklistedError(mailDomain);
            for (const uname of r.uname) {
                // eslint-disable-next-line no-await-in-loop
                const nudoc = await user.getByUname('system', uname);
--- a/packages/hydrooj/src/interface.ts
+++ b/packages/hydrooj/src/interface.ts
@ -57,8 +57,8 @@ export interface Setting {

 export interface OAuthUserResponse {
    _id: string;
+    email: string;
    avatar?: string;
-    email?: string;
    bio?: string;
    uname?: string[];
    viewLang?: string;
--- a/packages/login-with-github/lib.ts
+++ b/packages/login-with-github/lib.ts
@ -1,6 +1,7 @@
 import 'hydrooj';

 import superagent from 'superagent';
+import { ForbiddenError } from 'hydrooj/src/error';

 declare module 'hydrooj' {
    interface SystemKeys {
@ -19,7 +20,7 @@ async function get() {
        system.get('login-with-github.id'),
        token.add(token.TYPE_OAUTH, 600, { redirect: this.request.referer }),
    ]);
-    this.response.redirect = `https://github.com/login/oauth/authorize?client_id=${appid}&state=${state}`;
+    this.response.redirect = `https://github.com/login/oauth/authorize?client_id=${appid}&state=${state}&scope=read:user,user:email`;
 }

 async function callback({ state, code }) {
@ -60,8 +61,18 @@ async function callback({ state, code }) {
        uname: [userInfo.body.name, userInfo.body.login],
        avatar: `github:${userInfo.body.login}`,
    };
-    this.response.redirect = s.redirect;
+    if (!ret.email) {
+        const emailInfo = await superagent.get(`${endpoint ? `${endpoint}/api` : 'https://api.github.com'}/user/emails`)
+            .set('User-Agent', 'Hydro-OAuth')
+            .set('Accept', 'application/vnd.github.v3+json')
+            .set('Authorization', `token ${t}`);
+        if (emailInfo.body.length) {
+            ret.email = emailInfo.body.find((e) => e.primary && e.verified).email;
+        }
+    }
    await token.del(s._id, token.TYPE_OAUTH);
+    if (!ret.email) throw new ForbiddenError("You don't have a verified email.");
+    this.response.redirect = (s.redirect || '').endsWith('/login') ? '/' : s.redirect;
    return ret;
 }

--- a/packages/login-with-github/package.json
+++ b/packages/login-with-github/package.json
@ -1,6 +1,6 @@
 {
    "name": "@hydrooj/login-with-github",
-    "version": "0.1.3",
+    "version": "0.1.4",
    "main": "package.json",
    "repository": "git@github.com:hydro-dev/Hydro.git",
    "author": "undefined <i@undefined.moe>",