debian-mirror-gitlab/app/controllers/omniauth_callbacks_controller.rb

# frozen_string_literal: true

class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  include AuthenticatesWithTwoFactorForAdminMode
  include Devise::Controllers::Rememberable
  include AuthHelper
  include InitializesCurrentUserMode
  include KnownSignIn

  after_action :verify_known_sign_in

  protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true

  feature_category :authentication_and_authorization

  def handle_omniauth
    omniauth_flow(Gitlab::Auth::OAuth)
  end

  AuthHelper.providers_for_base_controller.each do |provider|
    alias_method provider, :handle_omniauth
  end

  # Extend the standard implementation to also increment
  # the number of failed sign in attempts
  def failure
    if params[:username].present? && AuthHelper.form_based_provider?(failed_strategy.name)
      user = User.by_login(params[:username])

      user&.increment_failed_attempts!
      log_failed_login(params[:username], failed_strategy.name)
    end

    super
  end

  # Extend the standard message generation to accept our custom exception
  def failure_message
    exception = request.env["omniauth.error"]
    error = exception.error_reason if exception.respond_to?(:error_reason)
    error ||= exception.error        if exception.respond_to?(:error)
    error ||= exception.message      if exception.respond_to?(:message)
    error ||= request.env["omniauth.error.type"].to_s

    error.to_s.humanize if error
  end

  def saml
    omniauth_flow(Gitlab::Auth::Saml)
  rescue Gitlab::Auth::Saml::IdentityLinker::UnverifiedRequest
    redirect_unverified_saml_initiation
  end

  def cas3
    ticket = params['ticket']
    if ticket
      handle_service_ticket oauth['provider'], ticket
    end

    handle_omniauth
  end

  def authentiq
    if params['sid']
      handle_service_ticket oauth['provider'], params['sid']
    end

    handle_omniauth
  end

  def auth0
    if oauth['uid'].blank?
      fail_auth0_login
    else
      handle_omniauth
    end
  end

  def salesforce
    if oauth.dig('extra', 'email_verified')
      handle_omniauth
    else
      fail_salesforce_login
    end
  end

  def atlassian_oauth2
    omniauth_flow(Gitlab::Auth::Atlassian)
  end

  private

  def log_failed_login(user, provider)
    # overridden in EE
  end

  def after_omniauth_failure_path_for(scope)
    if Gitlab::CurrentSettings.admin_mode
      return new_admin_session_path if current_user_mode.admin_mode_requested?
    end

    super
  end

  def omniauth_flow(auth_module, identity_linker: nil)
    if fragment = request.env.dig('omniauth.params', 'redirect_fragment').presence
      store_redirect_fragment(fragment)
    end

    if current_user
      return render_403 unless link_provider_allowed?(oauth['provider'])

      log_audit_event(current_user, with: oauth['provider'])

      if Gitlab::CurrentSettings.admin_mode
        return admin_mode_flow(auth_module::User) if current_user_mode.admin_mode_requested?
      end

      identity_linker ||= auth_module::IdentityLinker.new(current_user, oauth, session)
      link_identity(identity_linker)

      if identity_linker.changed?
        redirect_identity_linked
      elsif identity_linker.failed?
        redirect_identity_link_failed(identity_linker.error_message)
      else
        redirect_identity_exists
      end
    else
      sign_in_user_flow(auth_module::User)
    end
  end

  def link_identity(identity_linker)
    identity_linker.link
  end

  def redirect_identity_exists
    redirect_to after_sign_in_path_for(current_user)
  end

  def redirect_identity_link_failed(error_message)
    redirect_to profile_account_path, notice: _("Authentication failed: %{error_message}") % { error_message: error_message }
  end

  def redirect_identity_linked
    redirect_to profile_account_path, notice: _('Authentication method updated')
  end

  def handle_service_ticket(provider, ticket)
    Gitlab::Auth::OAuth::Session.create provider, ticket
    session[:service_tickets] ||= {}
    session[:service_tickets][provider] = ticket
  end

  def build_auth_user(auth_user_class)
    auth_user_class.new(oauth)
  end

  def sign_in_user_flow(auth_user_class)
    auth_user = build_auth_user(auth_user_class)
    user = auth_user.find_and_update!

    if auth_user.valid_sign_in?
      log_audit_event(user, with: oauth['provider'])

      set_remember_me(user)

      if user.two_factor_enabled? && !auth_user.bypass_two_factor?
        prompt_for_two_factor(user)
      else
        if user.deactivated?
          user.activate
          flash[:notice] = _('Welcome back! Your account had been deactivated due to inactivity but is now reactivated.')
        end

        sign_in_and_redirect(user, event: :authentication)
      end
    else
      fail_login(user)
    end
  rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError
    handle_disabled_provider
  rescue Gitlab::Auth::OAuth::User::SignupDisabledError
    handle_signup_error
  end

  def handle_signup_error
    label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
    message = [_("Signing in using your %{label} account without a pre-existing GitLab account is not allowed.") % { label: label }]

    if Gitlab::CurrentSettings.allow_signup?
      message << _("Create a GitLab account first, and then connect it to your %{label} account.") % { label: label }
    end

    flash[:alert] = message.join(' ')
    redirect_to new_user_session_path
  end

  def oauth
    @oauth ||= request.env['omniauth.auth']
  end

  def fail_login(user)
    log_failed_login(user.username, oauth['provider'])

    @provider = Gitlab::Auth::OAuth::Provider.label_for(params[:action])
    @error = user.errors.full_messages.to_sentence

    render 'errors/omniauth_error', layout: "oauth_error", status: :unprocessable_entity
  end

  def fail_auth0_login
    fail_login_with_message(_('Wrong extern UID provided. Make sure Auth0 is configured correctly.'))
  end

  def fail_salesforce_login
    fail_login_with_message(_('Email not verified. Please verify your email in Salesforce.'))
  end

  def fail_login_with_message(message)
    flash[:alert] = message

    redirect_to new_user_session_path
  end

  def redirect_unverified_saml_initiation
    redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')
  end

  def handle_disabled_provider
    label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
    flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }

    redirect_to new_user_session_path
  end

  def log_audit_event(user, options = {})
    AuditEventService.new(user, user, options)
      .for_authentication.security_event
  end

  def set_remember_me(user)
    return unless remember_me?

    if user.two_factor_enabled?
      params[:remember_me] = '1'
    else
      remember_me(user)
    end
  end

  def remember_me?
    request_params = request.env['omniauth.params']
    (request_params['remember_me'] == '1') if request_params.present?
  end

  def store_redirect_fragment(redirect_fragment)
    key = stored_location_key_for(:user)
    location = session[key]
    if uri = parse_uri(location)
      uri.fragment = redirect_fragment
      store_location_for(:user, uri.to_s)
    end
  end

  def admin_mode_flow(auth_user_class)
    auth_user = build_auth_user(auth_user_class)

    return fail_admin_mode_invalid_credentials unless omniauth_identity_matches_current_user?

    if current_user.two_factor_enabled? && !auth_user.bypass_two_factor?
      admin_mode_prompt_for_two_factor(current_user)
    else
      # Can only reach here if the omniauth identity matches current user
      # and current_user is an admin that requested admin mode
      current_user_mode.enable_admin_mode!(skip_password_validation: true)

      redirect_to stored_location_for(:redirect) || admin_root_path, notice: _('Admin mode enabled')
    end
  end

  def omniauth_identity_matches_current_user?
    current_user.matches_identity?(oauth['provider'], oauth['uid'])
  end

  def fail_admin_mode_invalid_credentials
    redirect_to new_admin_session_path, alert: _('Invalid login or password')
  end
end

OmniauthCallbacksController.prepend_mod_with('OmniauthCallbacksController')
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`# frozen_string_literal: true`

Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`class OmniauthCallbacksController < Devise::OmniauthCallbacksController`
New upstream version 13.5.5 2021-01-03 14:25:43 +05:30			`include AuthenticatesWithTwoFactorForAdminMode`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`include Devise::Controllers::Rememberable`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`include AuthHelper`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`include InitializesCurrentUserMode`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`include KnownSignIn`

			`after_action :verify_known_sign_in`
Imported Upstream version 7.14.3 2015-09-11 14:41:01 +05:30
New upstream version 11.8.0 2019-03-02 22:35:43 +05:30			`protect_from_forgery except: [:kerberos, :saml, :cas3, :failure], with: :exception, prepend: true`
Imported Upstream version 7.14.3 2015-09-11 14:41:01 +05:30
New upstream version 13.5.5 2021-01-03 14:25:43 +05:30			`feature_category :authentication_and_authorization`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`def handle_omniauth`
			`omniauth_flow(Gitlab::Auth::OAuth)`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`AuthHelper.providers_for_base_controller.each do \|provider\|`
			`alias_method provider, :handle_omniauth`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`

New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`# Extend the standard implementation to also increment`
			`# the number of failed sign in attempts`
			`def failure`
			`if params[:username].present? && AuthHelper.form_based_provider?(failed_strategy.name)`
			`user = User.by_login(params[:username])`

			`user&.increment_failed_attempts!`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`log_failed_login(params[:username], failed_strategy.name)`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`end`

			`super`
			`end`

Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`# Extend the standard message generation to accept our custom exception`
			`def failure_message`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`exception = request.env["omniauth.error"]`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`error = exception.error_reason if exception.respond_to?(:error_reason)`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`error \|\|= exception.error if exception.respond_to?(:error)`
			`error \|\|= exception.message if exception.respond_to?(:message)`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`error \|\|= request.env["omniauth.error.type"].to_s`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`error.to_s.humanize if error`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`

Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`def saml`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`omniauth_flow(Gitlab::Auth::Saml)`
New upstream version 12.1.12 2019-09-30 23:59:55 +05:30			`rescue Gitlab::Auth::Saml::IdentityLinker::UnverifiedRequest`
			`redirect_unverified_saml_initiation`
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`end`

Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`def cas3`
			`ticket = params['ticket']`
			`if ticket`
			`handle_service_ticket oauth['provider'], ticket`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`handle_omniauth`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def authentiq`
			`if params['sid']`
			`handle_service_ticket oauth['provider'], params['sid']`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`handle_omniauth`
			`end`

New upstream version 10.5.6+dfsg 2018-03-26 14:24:53 +05:30			`def auth0`
			`if oauth['uid'].blank?`
			`fail_auth0_login`
			`else`
			`handle_omniauth`
			`end`
			`end`

New upstream version 12.1.12 2019-09-30 23:59:55 +05:30			`def salesforce`
			`if oauth.dig('extra', 'email_verified')`
			`handle_omniauth`
			`else`
			`fail_salesforce_login`
			`end`
			`end`

New upstream version 13.4.6 2020-11-24 15:15:51 +05:30			`def atlassian_oauth2`
			`omniauth_flow(Gitlab::Auth::Atlassian)`
			`end`

Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`private`

New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`def log_failed_login(user, provider)`
			`# overridden in EE`
			`end`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`def after_omniauth_failure_path_for(scope)`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`if Gitlab::CurrentSettings.admin_mode`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`return new_admin_session_path if current_user_mode.admin_mode_requested?`
			`end`

			`super`
			`end`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`def omniauth_flow(auth_module, identity_linker: nil)`
New upstream version 11.8.0 2019-03-02 22:35:43 +05:30			`if fragment = request.env.dig('omniauth.params', 'redirect_fragment').presence`
			`store_redirect_fragment(fragment)`
			`end`

Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`if current_user`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`return render_403 unless link_provider_allowed?(oauth['provider'])`

Imported Upstream version 7.14.3 2015-09-11 14:41:01 +05:30			`log_audit_event(current_user, with: oauth['provider'])`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`if Gitlab::CurrentSettings.admin_mode`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`return admin_mode_flow(auth_module::User) if current_user_mode.admin_mode_requested?`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`

			`identity_linker \|\|= auth_module::IdentityLinker.new(current_user, oauth, session)`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`link_identity(identity_linker)`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30
			`if identity_linker.changed?`
			`redirect_identity_linked`
			`elsif identity_linker.failed?`
			`redirect_identity_link_failed(identity_linker.error_message)`
			`else`
			`redirect_identity_exists`
			`end`
			`else`
			`sign_in_user_flow(auth_module::User)`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`end`

New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`def link_identity(identity_linker)`
			`identity_linker.link`
			`end`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`def redirect_identity_exists`
			`redirect_to after_sign_in_path_for(current_user)`
			`end`

			`def redirect_identity_link_failed(error_message)`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`redirect_to profile_account_path, notice: _("Authentication failed: %{error_message}") % { error_message: error_message }`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`end`

			`def redirect_identity_linked`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`redirect_to profile_account_path, notice: _('Authentication method updated')`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`

Imported Upstream version 8.9.0+debian~rc4 2016-06-16 23:09:34 +05:30			`def handle_service_ticket(provider, ticket)`
New upstream version 10.6.0+dfsg 2018-03-27 19:54:05 +05:30			`Gitlab::Auth::OAuth::Session.create provider, ticket`
Imported Upstream version 8.4.0+dfsg~rc1 2016-01-14 18:37:52 +05:30			`session[:service_tickets] \|\|= {}`
			`session[:service_tickets][provider] = ticket`
			`end`

New upstream version 11.8.0 2019-03-02 22:35:43 +05:30			`def build_auth_user(auth_user_class)`
			`auth_user_class.new(oauth)`
			`end`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`def sign_in_user_flow(auth_user_class)`
New upstream version 11.8.0 2019-03-02 22:35:43 +05:30			`auth_user = build_auth_user(auth_user_class)`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`user = auth_user.find_and_update!`

			`if auth_user.valid_sign_in?`
			`log_audit_event(user, with: oauth['provider'])`

			`set_remember_me(user)`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`if user.two_factor_enabled? && !auth_user.bypass_two_factor?`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`prompt_for_two_factor(user)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`else`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`if user.deactivated?`
			`user.activate`
			`flash[:notice] = _('Welcome back! Your account had been deactivated due to inactivity but is now reactivated.')`
			`end`

New upstream version 12.2.8 2019-10-12 21:52:04 +05:30			`sign_in_and_redirect(user, event: :authentication)`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30			`end`
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`else`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`fail_login(user)`
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`end`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`rescue Gitlab::Auth::OAuth::User::SigninDisabledForProviderError`
			`handle_disabled_provider`
			`rescue Gitlab::Auth::OAuth::User::SignupDisabledError`
			`handle_signup_error`
Imported Upstream version 8.5.8+dfsg 2016-04-02 18:10:28 +05:30			`end`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`def handle_signup_error`
New upstream version 10.6.0+dfsg 2018-03-27 19:54:05 +05:30			`label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`message = [_("Signing in using your %{label} account without a pre-existing GitLab account is not allowed.") % { label: label }]`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`if Gitlab::CurrentSettings.allow_signup?`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`message << _("Create a GitLab account first, and then connect it to your %{label} account.") % { label: label }`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`end`

New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`flash[:alert] = message.join(' ')`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`redirect_to new_user_session_path`
			`end`

Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`def oauth`
			`@oauth \|\|= request.env['omniauth.auth']`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`def fail_login(user)`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`log_failed_login(user.username, oauth['provider'])`

New upstream version 13.2.8 2020-09-03 11:15:55 +05:30			`@provider = Gitlab::Auth::OAuth::Provider.label_for(params[:action])`
			`@error = user.errors.full_messages.to_sentence`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
New upstream version 13.2.8 2020-09-03 11:15:55 +05:30			`render 'errors/omniauth_error', layout: "oauth_error", status: :unprocessable_entity`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 10.5.6+dfsg 2018-03-26 14:24:53 +05:30			`def fail_auth0_login`
New upstream version 12.1.12 2019-09-30 23:59:55 +05:30			`fail_login_with_message(_('Wrong extern UID provided. Make sure Auth0 is configured correctly.'))`
			`end`

			`def fail_salesforce_login`
			`fail_login_with_message(_('Email not verified. Please verify your email in Salesforce.'))`
			`end`

			`def fail_login_with_message(message)`
			`flash[:alert] = message`
New upstream version 10.5.6+dfsg 2018-03-26 14:24:53 +05:30
			`redirect_to new_user_session_path`
			`end`

New upstream version 12.1.12 2019-09-30 23:59:55 +05:30			`def redirect_unverified_saml_initiation`
			`redirect_to profile_account_path, notice: _('Request to link SAML account must be authorized')`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`def handle_disabled_provider`
New upstream version 10.6.0+dfsg 2018-03-27 19:54:05 +05:30			`label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`flash[:alert] = _("Signing in using %{label} has been disabled") % { label: label }`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`redirect_to new_user_session_path`
			`end`

Imported Upstream version 7.14.3 2015-09-11 14:41:01 +05:30			`def log_audit_event(user, options = {})`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`AuditEventService.new(user, user, options)`
			`.for_authentication.security_event`
			`end`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`def set_remember_me(user)`
			`return unless remember_me?`

			`if user.two_factor_enabled?`
			`params[:remember_me] = '1'`
			`else`
			`remember_me(user)`
			`end`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`def remember_me?`
			`request_params = request.env['omniauth.params']`
			`(request_params['remember_me'] == '1') if request_params.present?`
Imported Upstream version 7.14.3 2015-09-11 14:41:01 +05:30			`end`
New upstream version 11.8.0 2019-03-02 22:35:43 +05:30
			`def store_redirect_fragment(redirect_fragment)`
			`key = stored_location_key_for(:user)`
			`location = session[key]`
			`if uri = parse_uri(location)`
			`uri.fragment = redirect_fragment`
			`store_location_for(:user, uri.to_s)`
			`end`
			`end`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`def admin_mode_flow(auth_user_class)`
			`auth_user = build_auth_user(auth_user_class)`

			`return fail_admin_mode_invalid_credentials unless omniauth_identity_matches_current_user?`

			`if current_user.two_factor_enabled? && !auth_user.bypass_two_factor?`
			`admin_mode_prompt_for_two_factor(current_user)`
			`else`
			`# Can only reach here if the omniauth identity matches current user`
			`# and current_user is an admin that requested admin mode`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`current_user_mode.enable_admin_mode!(skip_password_validation: true)`

			`redirect_to stored_location_for(:redirect) \|\| admin_root_path, notice: _('Admin mode enabled')`
			`end`
			`end`

			`def omniauth_identity_matches_current_user?`
			`current_user.matches_identity?(oauth['provider'], oauth['uid'])`
			`end`

			`def fail_admin_mode_invalid_credentials`
			`redirect_to new_admin_session_path, alert: _('Invalid login or password')`
			`end`
Imported Upstream version 7.2.1 2014-09-02 18:07:02 +05:30			`end`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`OmniauthCallbacksController.prepend_mod_with('OmniauthCallbacksController')`