From e616b9251165d5bdb637fdb5f80e45cdc714c691 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Wed, 8 Jan 2020 11:47:01 -0500
Subject: [PATCH] FIX: If the admin sso sync has no external ID, don't throw an
 error

Instead, return a HTTP error code and a message explaining the problem,
to avoid log pollution.
---
 app/controllers/admin/users_controller.rb    |  2 ++
 config/locales/server.en.yml                 |  1 +
 spec/requests/admin/users_controller_spec.rb | 10 ++++++++++
 3 files changed, 13 insertions(+)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index fdc0815a01..932de723b6 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -423,6 +423,8 @@ class Admin::UsersController < Admin::AdminController
       render_serialized(user, AdminDetailedUserSerializer, root: false)
     rescue ActiveRecord::RecordInvalid => ex
       render json: failed_json.merge(message: ex.message), status: 403
+    rescue DiscourseSingleSignOn::BlankExternalId => ex
+      render json: failed_json.merge(message: I18n.t('sso.blank_id_error')), status: 422
     end
   end
 
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 312fcbebc0..80d2a02cf4 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -2231,6 +2231,7 @@ en:
     unknown_error: "There is a problem with your account. Please contact the site's administrator."
     timeout_expired: "Account login timed out, please try logging in again."
     no_email: "No email address was provided. Please contact the site's administrator."
+    blank_id_error: "The `external_id` is required but was blank"
     email_error: "An account could not be registered with the email address <b>%{email}</b>. Please contact the site's administrator."
     missing_secret: "SSO authentication failed due to missing secret. Contact the site administrators to fix this problem."
 
diff --git a/spec/requests/admin/users_controller_spec.rb b/spec/requests/admin/users_controller_spec.rb
index 2e787bb4ad..49a730ef64 100644
--- a/spec/requests/admin/users_controller_spec.rb
+++ b/spec/requests/admin/users_controller_spec.rb
@@ -872,6 +872,16 @@ RSpec.describe Admin::UsersController do
       expect(JSON.parse(response.body)["message"]).to include(I18n.t('sso.login_error'))
       expect(JSON.parse(response.body)["message"]).not_to include(correct_payload["sig"])
     end
+
+    it "returns 404 if the external id does not exist" do
+      sso.name = "Dr. Claw"
+      sso.username = "dr_claw"
+      sso.email = "dr@claw.com"
+      sso.external_id = ""
+      post "/admin/users/sync_sso.json", params: Rack::Utils.parse_query(sso.payload)
+      expect(response.status).to eq(422)
+      expect(JSON.parse(response.body)["message"]).to include(I18n.t('sso.blank_id_error'))
+    end
   end
 
   describe '#disable_second_factor' do