diff --git a/app/controllers/api/v1/accounts/google/authorizations_controller.rb b/app/controllers/api/v1/accounts/google/authorizations_controller.rb index 1140a214b..87a7cfa3f 100644 --- a/app/controllers/api/v1/accounts/google/authorizations_controller.rb +++ b/app/controllers/api/v1/accounts/google/authorizations_controller.rb @@ -1,32 +1,23 @@ -class Api::V1::Accounts::Google::AuthorizationsController < Api::V1::Accounts::BaseController +class Api::V1::Accounts::Google::AuthorizationsController < Api::V1::Accounts::OauthAuthorizationController include GoogleConcern - before_action :check_authorization def create - email = params[:authorization][:email] redirect_url = google_client.auth_code.authorize_url( { redirect_uri: "#{base_url}/google/callback", - scope: 'email profile https://mail.google.com/', + scope: scope, response_type: 'code', prompt: 'consent', # the oauth flow does not return a refresh token, this is supposed to fix it access_type: 'offline', # the default is 'online' + state: state, client_id: GlobalConfigService.load('GOOGLE_OAUTH_CLIENT_ID', nil) } ) if redirect_url - cache_key = "google::#{email.downcase}" - ::Redis::Alfred.setex(cache_key, Current.account.id, 5.minutes) render json: { success: true, url: redirect_url } else render json: { success: false }, status: :unprocessable_entity end end - - private - - def check_authorization - raise Pundit::NotAuthorizedError unless Current.account_user.administrator? - end end diff --git a/app/controllers/api/v1/accounts/instagram/authorizations_controller.rb b/app/controllers/api/v1/accounts/instagram/authorizations_controller.rb index eace4411a..053c29731 100644 --- a/app/controllers/api/v1/accounts/instagram/authorizations_controller.rb +++ b/app/controllers/api/v1/accounts/instagram/authorizations_controller.rb @@ -1,7 +1,6 @@ -class Api::V1::Accounts::Instagram::AuthorizationsController < Api::V1::Accounts::BaseController +class Api::V1::Accounts::Instagram::AuthorizationsController < Api::V1::Accounts::OauthAuthorizationController include InstagramConcern include Instagram::IntegrationHelper - before_action :check_authorization def create # https://developers.facebook.com/docs/instagram-platform/instagram-api-with-instagram-login/business-login#step-1--get-authorization @@ -21,10 +20,4 @@ class Api::V1::Accounts::Instagram::AuthorizationsController < Api::V1::Accounts render json: { success: false }, status: :unprocessable_entity end end - - private - - def check_authorization - raise Pundit::NotAuthorizedError unless Current.account_user.administrator? - end end diff --git a/app/controllers/api/v1/accounts/microsoft/authorizations_controller.rb b/app/controllers/api/v1/accounts/microsoft/authorizations_controller.rb index df563094a..a300b5f59 100644 --- a/app/controllers/api/v1/accounts/microsoft/authorizations_controller.rb +++ b/app/controllers/api/v1/accounts/microsoft/authorizations_controller.rb @@ -1,28 +1,19 @@ -class Api::V1::Accounts::Microsoft::AuthorizationsController < Api::V1::Accounts::BaseController +class Api::V1::Accounts::Microsoft::AuthorizationsController < Api::V1::Accounts::OauthAuthorizationController include MicrosoftConcern - before_action :check_authorization def create - email = params[:authorization][:email] redirect_url = microsoft_client.auth_code.authorize_url( { redirect_uri: "#{base_url}/microsoft/callback", - scope: 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send openid profile', + scope: scope, + state: state, prompt: 'consent' } ) if redirect_url - cache_key = "microsoft::#{email.downcase}" - ::Redis::Alfred.setex(cache_key, Current.account.id, 5.minutes) render json: { success: true, url: redirect_url } else render json: { success: false }, status: :unprocessable_entity end end - - private - - def check_authorization - raise Pundit::NotAuthorizedError unless Current.account_user.administrator? - end end diff --git a/app/controllers/api/v1/accounts/oauth_authorization_controller.rb b/app/controllers/api/v1/accounts/oauth_authorization_controller.rb new file mode 100644 index 000000000..feb218b59 --- /dev/null +++ b/app/controllers/api/v1/accounts/oauth_authorization_controller.rb @@ -0,0 +1,23 @@ +class Api::V1::Accounts::OauthAuthorizationController < Api::V1::Accounts::BaseController + before_action :check_authorization + + protected + + def scope + '' + end + + def state + Current.account.to_sgid(expires_in: 15.minutes).to_s + end + + def base_url + ENV.fetch('FRONTEND_URL', 'http://localhost:3000') + end + + private + + def check_authorization + raise Pundit::NotAuthorizedError unless Current.account_user.administrator? + end +end diff --git a/app/controllers/concerns/google_concern.rb b/app/controllers/concerns/google_concern.rb index 474b14aec..13de7ced3 100644 --- a/app/controllers/concerns/google_concern.rb +++ b/app/controllers/concerns/google_concern.rb @@ -14,7 +14,7 @@ module GoogleConcern private - def base_url - ENV.fetch('FRONTEND_URL', 'http://localhost:3000') + def scope + 'email profile https://mail.google.com/' end end diff --git a/app/controllers/concerns/microsoft_concern.rb b/app/controllers/concerns/microsoft_concern.rb index 507b9f8a3..c3e0994bd 100644 --- a/app/controllers/concerns/microsoft_concern.rb +++ b/app/controllers/concerns/microsoft_concern.rb @@ -15,7 +15,7 @@ module MicrosoftConcern private - def base_url - ENV.fetch('FRONTEND_URL', 'http://localhost:3000') + def scope + 'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send openid profile email' end end diff --git a/app/controllers/oauth_callback_controller.rb b/app/controllers/oauth_callback_controller.rb index 9aa73956a..be0fa5008 100644 --- a/app/controllers/oauth_callback_controller.rb +++ b/app/controllers/oauth_callback_controller.rb @@ -6,7 +6,6 @@ class OauthCallbackController < ApplicationController ) handle_response - ::Redis::Alfred.delete(cache_key) rescue StandardError => e ChatwootExceptionTracker.new(e).capture_exception redirect_to '/' @@ -64,10 +63,6 @@ class OauthCallbackController < ApplicationController raise NotImplementedError end - def cache_key - "#{provider_name}::#{users_data['email'].downcase}" - end - def create_channel_with_inbox ActiveRecord::Base.transaction do channel_email = Channel::Email.create!(email: users_data['email'], account: account) @@ -86,12 +81,17 @@ class OauthCallbackController < ApplicationController decoded_token[0] end - def account_id - ::Redis::Alfred.get(cache_key) + def account_from_signed_id + raise ActionController::BadRequest, 'Missing state variable' if params[:state].blank? + + account = GlobalID::Locator.locate_signed(params[:state]) + raise 'Invalid or expired state' if account.nil? + + account end def account - @account ||= Account.find(account_id) + @account ||= account_from_signed_id end # Fallback name, for when name field is missing from users_data diff --git a/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Google.vue b/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Google.vue index 1628d3e62..a5c16fa57 100644 --- a/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Google.vue +++ b/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Google.vue @@ -12,7 +12,6 @@ defineOptions({ provider="google" :title="$t('INBOX_MGMT.ADD.GOOGLE.TITLE')" :description="$t('INBOX_MGMT.ADD.GOOGLE.DESCRIPTION')" - :input-placeholder="$t('INBOX_MGMT.ADD.GOOGLE.EMAIL_PLACEHOLDER')" :submit-button-text="$t('INBOX_MGMT.ADD.GOOGLE.SIGN_IN')" :error-message="$t('INBOX_MGMT.ADD.GOOGLE.ERROR_MESSAGE')" /> diff --git a/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Microsoft.vue b/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Microsoft.vue index 1e3706297..53cf5ccc7 100644 --- a/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Microsoft.vue +++ b/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/Microsoft.vue @@ -12,7 +12,6 @@ defineOptions({ provider="microsoft" :title="$t('INBOX_MGMT.ADD.MICROSOFT.TITLE')" :description="$t('INBOX_MGMT.ADD.MICROSOFT.DESCRIPTION')" - :input-placeholder="$t('INBOX_MGMT.ADD.MICROSOFT.EMAIL_PLACEHOLDER')" :submit-button-text="$t('INBOX_MGMT.ADD.MICROSOFT.SIGN_IN')" :error-message="$t('INBOX_MGMT.ADD.MICROSOFT.ERROR_MESSAGE')" /> diff --git a/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/OAuthChannel.vue b/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/OAuthChannel.vue index eb109c6f2..f2bfb63f3 100644 --- a/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/OAuthChannel.vue +++ b/app/javascript/dashboard/routes/dashboard/settings/inbox/channels/emailChannels/OAuthChannel.vue @@ -30,14 +30,9 @@ const props = defineProps({ type: String, required: true, }, - inputPlaceholder: { - type: String, - required: true, - }, }); const isRequestingAuthorization = ref(false); -const email = ref(''); const client = computed(() => { if (props.provider === 'microsoft') { @@ -50,9 +45,7 @@ const client = computed(() => { async function requestAuthorization() { try { isRequestingAuthorization.value = true; - const response = await client.value.generateAuthorization({ - email: email.value, - }); + const response = await client.value.generateAuthorization(); const { data: { url }, } = response; @@ -75,11 +68,6 @@ async function requestAuthorization() { :header-content="description" />
- "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" }) .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' }) - get google_callback_url, params: { code: code } + get google_callback_url, params: { code: code, state: state } expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id) expect(account.inboxes.count).to be 1 @@ -36,7 +32,6 @@ RSpec.describe 'Google::CallbacksController', type: :request do expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on') expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token] expect(inbox.channel.imap_address).to eq 'imap.gmail.com' - expect(Redis::Alfred.get(cache_key)).to be_nil end it 'updates inbox channel config if inbox exists with imap_login and authentication is successful' do @@ -49,14 +44,13 @@ RSpec.describe 'Google::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" }) .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' }) - get google_callback_url, params: { code: code } + get google_callback_url, params: { code: code, state: state } expect(response).to redirect_to app_email_inbox_settings_url(account_id: account.id, inbox_id: inbox.id) expect(account.inboxes.count).to be 1 expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on') expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token] expect(inbox.channel.imap_address).to eq 'imap.gmail.com' - expect(Redis::Alfred.get(cache_key)).to be_nil end it 'creates inboxes with fallback_name when account name is not present in id_token' do @@ -65,7 +59,7 @@ RSpec.describe 'Google::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" }) .to_return(status: 200, body: response_body_success_without_name.to_json, headers: { 'Content-Type' => 'application/json' }) - get google_callback_url, params: { code: code } + get google_callback_url, params: { code: code, state: state } expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id) expect(account.inboxes.count).to be 1 @@ -79,10 +73,9 @@ RSpec.describe 'Google::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/google/callback" }) .to_return(status: 401) - get google_callback_url, params: { code: code } + get google_callback_url, params: { code: code, state: state } expect(response).to redirect_to '/' - expect(Redis::Alfred.get(cache_key).to_i).to eq account.id end end end diff --git a/spec/controllers/microsoft/callbacks_controller_spec.rb b/spec/controllers/microsoft/callbacks_controller_spec.rb index 41d8dbd29..6bd9a0583 100644 --- a/spec/controllers/microsoft/callbacks_controller_spec.rb +++ b/spec/controllers/microsoft/callbacks_controller_spec.rb @@ -4,11 +4,7 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do let(:account) { create(:account) } let(:code) { SecureRandom.hex(10) } let(:email) { Faker::Internet.email } - let(:cache_key) { "microsoft::#{email.downcase}" } - - before do - Redis::Alfred.set(cache_key, account.id) - end + let(:state) { account.to_sgid(expires_in: 15.minutes).to_s } describe 'GET /microsoft/callback' do let(:response_body_success) do @@ -27,7 +23,7 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" }) .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' }) - get microsoft_callback_url, params: { code: code } + get microsoft_callback_url, params: { code: code, state: state } expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id) expect(account.inboxes.count).to be 1 @@ -36,7 +32,6 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on') expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token] expect(inbox.channel.imap_address).to eq 'outlook.office365.com' - expect(Redis::Alfred.get(cache_key)).to be_nil end it 'creates updates inbox channel config if inbox exists and authentication is successful' do @@ -48,14 +43,13 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" }) .to_return(status: 200, body: response_body_success.to_json, headers: { 'Content-Type' => 'application/json' }) - get microsoft_callback_url, params: { code: code } + get microsoft_callback_url, params: { code: code, state: state } expect(response).to redirect_to app_email_inbox_settings_url(account_id: account.id, inbox_id: account.inboxes.last.id) expect(account.inboxes.count).to be 1 expect(inbox.channel.reload.provider_config.keys).to include('access_token', 'refresh_token', 'expires_on') expect(inbox.channel.reload.provider_config['access_token']).to eq response_body_success[:access_token] expect(inbox.channel.imap_address).to eq 'outlook.office365.com' - expect(Redis::Alfred.get(cache_key)).to be_nil end it 'creates inboxes with fallback_name when account name is not present in id_token' do @@ -64,7 +58,7 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" }) .to_return(status: 200, body: response_body_success_without_name.to_json, headers: { 'Content-Type' => 'application/json' }) - get microsoft_callback_url, params: { code: code } + get microsoft_callback_url, params: { code: code, state: state } expect(response).to redirect_to app_email_inbox_agents_url(account_id: account.id, inbox_id: account.inboxes.last.id) expect(account.inboxes.count).to be 1 @@ -78,10 +72,9 @@ RSpec.describe 'Microsoft::CallbacksController', type: :request do 'redirect_uri' => "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/microsoft/callback" }) .to_return(status: 401) - get microsoft_callback_url, params: { code: code } + get microsoft_callback_url, params: { code: code, state: state } expect(response).to redirect_to '/' - expect(Redis::Alfred.get(cache_key).to_i).to eq account.id end end end