Use GitHub user ids instead of usernames for authentication

Otherwise, renaming a GitHub account could allow someone else to gain access to a CDB account.
2024-12-22 14:02:24 +01:00 · 2024-03-30 16:52:17 +00:00 · 2024-03-30 16:52:17 +00:00 · f5dd77fcb3
commit f5dd77fcb3
parent a8d2cc0383
8 changed files with 118 additions and 8 deletions
--- a/app/blueprints/admin/actions.py
+++ b/app/blueprints/admin/actions.py
@ -28,6 +28,7 @@ from app.tasks.emails import send_pending_digests
 from app.tasks.forumtasks import import_topic_list, check_all_forum_accounts
 from app.tasks.importtasks import import_repo_screenshot, check_zip_release, check_for_updates, update_all_game_support, \
 	import_languages
+from app.tasks.usertasks import import_github_user_ids
 from app.utils import add_notification, get_system_user

 actions = {}
@ -289,6 +290,13 @@ def do_send_pending_digests():
 	send_pending_digests.delay()


+@action("Import user ids from GitHub")
+def do_import_github_user_ids():
+	task_id = uuid()
+	import_github_user_ids.apply_async((), task_id=task_id)
+	return redirect(url_for("tasks.check", id=task_id, r=url_for("admin.admin_page")))
+
+
@action("DANGER: Delete removed packages")
 def del_removed_packages():
 	query = Package.query.filter_by(state=PackageState.DELETED)
--- a/app/blueprints/github/init.py
+++ b/app/blueprints/github/init.py
@ -23,7 +23,7 @@ bp = Blueprint("github", __name__)

 from flask import redirect, url_for, request, flash, jsonify, current_app
 from flask_login import current_user
-from sqlalchemy import func, or_, and_
+from sqlalchemy import or_, and_
 from app import github, csrf
 from app.models import db, User, APIToken, Package, Permission, AuditSeverity, PackageState
 from app.utils import abs_url_for, add_audit_log, login_user_set_active, is_safe_url
@ -65,18 +65,23 @@ def callback(oauth_token):
 	# Get GitGub username
 	url = "https://api.github.com/user"
 	r = requests.get(url, headers={"Authorization": "token " + oauth_token})
-	username = r.json()["login"]
+	json = r.json()
+	user_id = json["id"]
+	username = json["login"]

-	# Get user by GitHub username
-	userByGithub = User.query.filter(func.lower(User.github_username) == func.lower(username)).first()
+	# Get user by GitHub user ID
+	userByGithub = User.query.filter(User.github_user_id == user_id).first()

 	# If logged in, connect
 	if current_user and current_user.is_authenticated:
 		if userByGithub is None:
 			current_user.github_username = username
+			current_user.github_user_id = user_id
 			db.session.commit()
 			flash(gettext("Linked GitHub to account"), "success")
 			return redirect(redirect_to)
+		elif userByGithub == current_user:
+			return redirect(redirect_to)
 		else:
 			flash(gettext("GitHub account is already associated with another user"), "danger")
 			return redirect(redirect_to)
--- a/app/blueprints/users/settings.py
+++ b/app/blueprints/users/settings.py
@ -25,6 +25,7 @@ from wtforms.validators import Length, Optional, Email, URL
 from app.models import User, AuditSeverity, db, UserRank, PackageAlias, EmailSubscription, UserNotificationPreferences, \
 	UserEmailVerification, Permission, NotificationType, UserBan
 from app.tasks.emails import send_verify_email
+from app.tasks.usertasks import update_github_user_id
 from app.utils import nonempty_or_none, add_audit_log, random_string, rank_required, has_blocked_domains
 from . import bp

@ -335,7 +336,12 @@ def modtools(username):

 			user.display_name = form.display_name.data
 			user.forums_username = nonempty_or_none(form.forums_username.data)
-			user.github_username = nonempty_or_none(form.github_username.data)
+			github_username = nonempty_or_none(form.github_username.data)
+			if github_username is None:
+				user.github_username = None
+				user.github_user_id = None
+			else:
+				update_github_user_id.delay(user.id, github_username)

 		if user.check_perm(current_user, Permission.CHANGE_RANK):
 			new_rank = form["rank"].data
--- a/app/models/users.py
+++ b/app/models/users.py
@ -144,6 +144,7 @@ class User(db.Model, UserMixin):

 	# Account linking
 	github_username = db.Column(db.String(50, collation="NOCASE"), nullable=True, unique=True)
+	github_user_id = db.Column(db.Integer, nullable=True, unique=True)
 	forums_username = db.Column(db.String(50, collation="NOCASE"), nullable=True, unique=True)

 	# Access token for webhook setup
--- a/app/tasks/forumtasks.py
+++ b/app/tasks/forumtasks.py
@ -24,7 +24,7 @@ from app.models import User, db, PackageType, ForumTopic
 from app.tasks import celery
 from app.utils import is_username_valid
 from app.utils.phpbbparser import get_profile, get_topics_from_forum
-from .usertasks import set_profile_picture_from_url
+from .usertasks import set_profile_picture_from_url, update_github_user_id_raw


@celery.task()
@ -53,6 +53,7 @@ def check_forum_account(forums_username, force_replace_pic=False):
 	if github_username is not None and github_username.strip() != "":
 		print("Updated GitHub username for " + user.display_name + " to " + github_username)
 		user.github_username = github_username
+		update_github_user_id_raw(user)
 		needs_saving = True

 	pic = profile.avatar
--- a/app/tasks/usertasks.py
+++ b/app/tasks/usertasks.py
@ -19,12 +19,13 @@ import datetime, requests
 import os
 import sys

+from flask import url_for
 from sqlalchemy import or_, and_

 from app import app
-from app.models import User, db, UserRank, ThreadReply, Package
+from app.models import User, db, UserRank, ThreadReply, Package, NotificationType
 from app.utils import random_string
-from app.utils.models import create_session
+from app.utils.models import create_session, add_notification, get_system_user
 from app.tasks import celery, TaskError


@ -92,3 +93,60 @@ def set_profile_picture_from_url(username: str, url: str):
 	db.session.commit()

 	return filepath
+
+
+def update_github_user_id_raw(user: User, send_notif: bool = False):
+	github_api_token = app.config.get("GITHUB_API_TOKEN")
+	if github_api_token is None or github_api_token == "":
+		raise TaskError("Importing requires a GitHub API token")
+
+	url = f"https://api.github.com/users/{user.github_username}"
+	resp = requests.get(url, headers={"Authorization": "token " + github_api_token}, timeout=15)
+	if resp.status_code == 404:
+		print(" - not found", file=sys.stderr)
+		if send_notif:
+			system_user = get_system_user()
+			add_notification(user, system_user, NotificationType.BOT,
+					f"GitHub account {user.github_username} does not exist, so has been disconnected from your account",
+					url_for("users.profile", username=user.username), None)
+		user.github_username = None
+		return False
+	elif resp.status_code != 200:
+		print(" - " + resp.json()["message"], file=sys.stderr)
+		return False
+
+	json = resp.json()
+	user_id = json.get("id")
+	if type(user_id) is not int:
+		raise TaskError(f"{url} returned non-int id")
+
+	user.github_user_id = user_id
+	return True
+
+
+@celery.task()
+def update_github_user_id(user_id: int, github_username: str):
+	user = User.query.get(user_id)
+	if user is None:
+		raise TaskError("Unable to find that user")
+
+	user.github_username = github_username
+	if update_github_user_id_raw(user):
+		db.session.commit()
+	else:
+		raise TaskError(f"Unable to set the GitHub username to {github_username}")
+
+
+@celery.task()
+def import_github_user_ids():
+	users = User.query.filter(User.github_user_id.is_(None), User.github_username.is_not(None)).all()
+	total = len(users)
+	count = 0
+	for i, user in enumerate(users):
+		print(f"[{i + 1} / {total}] Getting GitHub user id for {user.github_username}", file=sys.stderr)
+		if update_github_user_id_raw(user, send_notif=True):
+			count += 1
+
+	db.session.commit()
+
+	print(f"Updated {count} users", file=sys.stderr)
--- a/config.example.cfg
+++ b/config.example.cfg
@ -11,6 +11,9 @@ SQLALCHEMY_TRACK_MODIFICATIONS = False
 GITHUB_CLIENT_ID = ""
 GITHUB_CLIENT_SECRET = ""

+# Optional, used for an admin action - import user ids from GitHub
+GITHUB_API_TOKEN = ""
+
 REDIS_URL = 'redis://redis:6379'
 CELERY_BROKER_URL = 'redis://redis:6379'
 CELERY_RESULT_BACKEND = 'redis://redis:6379'
--- a/migrations/versions/1fe2e44cf565_.py
+++ b/migrations/versions/1fe2e44cf565_.py
@ -0,0 +1,28 @@
+"""empty message
+
+Revision ID: 1fe2e44cf565
+Revises: d73078c5d619
+Create Date: 2024-03-30 16:19:47.384716
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '1fe2e44cf565'
+down_revision = 'd73078c5d619'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    with op.batch_alter_table('user', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('github_user_id', sa.Integer(), nullable=True))
+        batch_op.create_unique_constraint("_user_github_user_id", ['github_user_id'])
+
+
+def downgrade():
+    with op.batch_alter_table('user', schema=None) as batch_op:
+        batch_op.drop_constraint("_user_github_user_id", type_='unique')
+        batch_op.drop_column('github_user_id')