assert phone/email verified when either is set

Author: scottmckendry

internal/assets/migrations/000008_oidc_userinfo_profile.up.sql

@@ -10,5 +10,4 @@ ALTER TABLE "oidc_userinfo" ADD COLUMN "birthdate"              TEXT    NOT NULL
 ALTER TABLE "oidc_userinfo" ADD COLUMN "zoneinfo"               TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "locale"                 TEXT    NOT NULL DEFAULT "";
 ALTER TABLE "oidc_userinfo" ADD COLUMN "phone_number"           TEXT    NOT NULL DEFAULT "";
-ALTER TABLE "oidc_userinfo" ADD COLUMN "phone_number_verified"  INTEGER NOT NULL DEFAULT 0;
 ALTER TABLE "oidc_userinfo" ADD COLUMN "address"                TEXT    NOT NULL DEFAULT "{}";

internal/config/config.go

@@ -126,22 +126,21 @@ type AuthConfig struct {
 }
 
 type UserAttributes struct {
-	Name                string       `description:"Full name of the user." yaml:"name"`
-	GivenName           string       `description:"Given (first) name of the user." yaml:"givenName"`
-	FamilyName          string       `description:"Family (last) name of the user." yaml:"familyName"`
-	MiddleName          string       `description:"Middle name of the user." yaml:"middleName"`
-	Nickname            string       `description:"Nickname of the user." yaml:"nickname"`
-	Profile             string       `description:"URL of the user's profile page." yaml:"profile"`
-	Picture             string       `description:"URL of the user's profile picture." yaml:"picture"`
-	Website             string       `description:"URL of the user's website." yaml:"website"`
-	Email               string       `description:"Email address of the user." yaml:"email"`
-	Gender              string       `description:"Gender of the user." yaml:"gender"`
-	Birthdate           string       `description:"Birthdate of the user (YYYY-MM-DD)." yaml:"birthdate"`
-	Zoneinfo            string       `description:"Time zone of the user (e.g. Europe/Athens)." yaml:"zoneinfo"`
-	Locale              string       `description:"Locale of the user (e.g. en-US)." yaml:"locale"`
-	PhoneNumber         string       `description:"Phone number of the user." yaml:"phoneNumber"`
-	PhoneNumberVerified bool         `description:"Whether the phone number has been verified." yaml:"phoneNumberVerified"`
-	Address             AddressClaim `description:"Address of the user." yaml:"address"`
+	Name        string       `description:"Full name of the user." yaml:"name"`
+	GivenName   string       `description:"Given (first) name of the user." yaml:"givenName"`
+	FamilyName  string       `description:"Family (last) name of the user." yaml:"familyName"`
+	MiddleName  string       `description:"Middle name of the user." yaml:"middleName"`
+	Nickname    string       `description:"Nickname of the user." yaml:"nickname"`
+	Profile     string       `description:"URL of the user's profile page." yaml:"profile"`
+	Picture     string       `description:"URL of the user's profile picture." yaml:"picture"`
+	Website     string       `description:"URL of the user's website." yaml:"website"`
+	Email       string       `description:"Email address of the user." yaml:"email"`
+	Gender      string       `description:"Gender of the user." yaml:"gender"`
+	Birthdate   string       `description:"Birthdate of the user (YYYY-MM-DD)." yaml:"birthdate"`
+	Zoneinfo    string       `description:"Time zone of the user (e.g. Europe/Athens)." yaml:"zoneinfo"`
+	Locale      string       `description:"Locale of the user (e.g. en-US)." yaml:"locale"`
+	PhoneNumber string       `description:"Phone number of the user." yaml:"phoneNumber"`
+	Address     AddressClaim `description:"Address of the user." yaml:"address"`
 }
 
 type AddressClaim struct {

internal/repository/models.go

@@ -390,13 +390,7 @@ func (service *OIDCService) StoreUserinfo(c *gin.Context, sub string, userContex
 		Zoneinfo:          userContext.Attributes.Zoneinfo,
 		Locale:            userContext.Attributes.Locale,
 		PhoneNumber:       userContext.Attributes.PhoneNumber,
-		PhoneNumberVerified: func() int64 {
-			if userContext.Attributes.PhoneNumberVerified {
-				return 1
-			}
-			return 0
-		}(),
-		Address: string(addressJSON),
+		Address:           string(addressJSON),
 	}
 
 	// Tinyauth will pass through the groups it got from an LDAP or an OIDC server
@@ -692,8 +686,7 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 
 	if slices.Contains(scopes, "email") {
 		userInfo.Email = user.Email
-		// We can set this as a configuration option in the future but for now it's a good idea to assume it's true
-		userInfo.EmailVerified = true
+		userInfo.EmailVerified = user.Email != ""
 	}
 
 	if slices.Contains(scopes, "groups") {
@@ -706,7 +699,7 @@ func (service *OIDCService) CompileUserinfo(user repository.OidcUserinfo, scope
 
 	if slices.Contains(scopes, "phone") {
 		userInfo.PhoneNumber = user.PhoneNumber
-		verified := user.PhoneNumberVerified != 0
+		verified := user.PhoneNumber != ""
 		userInfo.PhoneNumberVerified = &verified
 	}
 

internal/repository/oidc_queries.sql.go

@@ -24,26 +24,25 @@ func newTestUser() repository.OidcUserinfo {
 	addrJSON, _ := json.Marshal(addr)
 
 	return repository.OidcUserinfo{
-		Sub:                 "test-sub",
-		Name:                "Test User",
-		PreferredUsername:   "testuser",
-		Email:               "test@example.com",
-		Groups:              "admins,users",
-		UpdatedAt:           1234567890,
-		GivenName:           "Test",
-		FamilyName:          "User",
-		MiddleName:          "M",
-		Nickname:            "testy",
-		Profile:             "https://example.com/testuser",
-		Picture:             "https://example.com/testuser.jpg",
-		Website:             "https://testuser.example.com",
-		Gender:              "male",
-		Birthdate:           "1990-01-01",
-		Zoneinfo:            "America/Chicago",
-		Locale:              "en-US",
-		PhoneNumber:         "+15555550100",
-		PhoneNumberVerified: 1,
-		Address:             string(addrJSON),
+		Sub:               "test-sub",
+		Name:              "Test User",
+		PreferredUsername: "testuser",
+		Email:             "test@example.com",
+		Groups:            "admins,users",
+		UpdatedAt:         1234567890,
+		GivenName:         "Test",
+		FamilyName:        "User",
+		MiddleName:        "M",
+		Nickname:          "testy",
+		Profile:           "https://example.com/testuser",
+		Picture:           "https://example.com/testuser.jpg",
+		Website:           "https://testuser.example.com",
+		Gender:            "male",
+		Birthdate:         "1990-01-01",
+		Zoneinfo:          "America/Chicago",
+		Locale:            "en-US",
+		PhoneNumber:       "+15555550100",
+		Address:           string(addrJSON),
 	}
 }
 
@@ -110,6 +109,17 @@ func TestCompileUserinfo_EmailScope(t *testing.T) {
 	assert.Empty(t, info.Name) // profile not requested
 }
 
+func TestCompileUserinfo_EmailScope_Unverified(t *testing.T) {
+	svc := newOIDCService(t)
+	user := newTestUser()
+	user.Email = ""
+
+	info := svc.CompileUserinfo(user, "openid,email")
+
+	assert.Empty(t, info.Email)
+	assert.False(t, info.EmailVerified)
+}
+
 func TestCompileUserinfo_PhoneScope(t *testing.T) {
 	svc := newOIDCService(t)
 	user := newTestUser()
@@ -124,7 +134,7 @@ func TestCompileUserinfo_PhoneScope(t *testing.T) {
 func TestCompileUserinfo_PhoneScope_Unverified(t *testing.T) {
 	svc := newOIDCService(t)
 	user := newTestUser()
-	user.PhoneNumberVerified = 0
+	user.PhoneNumber = ""
 
 	info := svc.CompileUserinfo(user, "openid,phone")
 

internal/service/oidc_service.go

@@ -103,10 +103,9 @@ INSERT INTO "oidc_userinfo" (
     "zoneinfo",
     "locale",
     "phone_number",
-    "phone_number_verified",
     "address"
 ) VALUES (
-    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
+    ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
 )
 RETURNING *;
 

internal/service/oidc_service_test.go

@@ -39,6 +39,5 @@ CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
     "zoneinfo"              TEXT    NOT NULL,
     "locale"                TEXT    NOT NULL,
     "phone_number"          TEXT    NOT NULL,
-    "phone_number_verified" INTEGER NOT NULL,
     "address"               TEXT    NOT NULL
 );