gazagnaire.org / ocaml-oauth
OAuth 2.0 authorization and token exchange
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Parse GitLab confirmed_at to set email_verified

GitLab's /api/v4/user returns confirmed_at as an ISO 8601 timestamp
when the user has verified their email. Parse it and set
email_verified accordingly, instead of hardcoding false.

Email is now only populated when confirmed_at is present, consistent
with the Google and GitHub treatment.

Thomas Gazagnaire 9a491b79 e5ada33f

+16 -9
+9 -4
lib/oauth.ml
··· 497 497 u.avatar_url) 498 498 |> Jsont.Object.skip_unknown |> Jsont.Object.finish 499 499 500 - (* GitLab: {"id":123,"username":"john","email":"...","name":"...","avatar_url":"..."} *) 500 + (* GitLab: {"id":123,"username":"john","email":"...","confirmed_at":"2024-...", 501 + "name":"...","avatar_url":"..."} 502 + confirmed_at is non-null when the user has verified their email. *) 501 503 let gitlab_userinfo_jsont = 502 504 Jsont.Object.map ~kind:"gitlab_userinfo" 503 - (fun id username email name avatar_url -> 505 + (fun id username email confirmed_at name avatar_url -> 506 + let email_verified = Option.is_some confirmed_at in 504 507 { 505 508 uid = string_of_int id; 506 509 login = username; 507 - email = non_empty email; 508 - email_verified = false; 510 + email = (if email_verified then non_empty email else None); 511 + email_verified; 509 512 name; 510 513 avatar_url; 511 514 }) ··· 514 517 u.login) 515 518 |> Jsont.Object.mem "email" Jsont.string ~dec_absent:"" ~enc:(fun u -> 516 519 opt_to_string u.email) 520 + |> Jsont.Object.opt_mem "confirmed_at" Jsont.string ~enc:(fun u -> 521 + if u.email_verified then Some "" else None) 517 522 |> Jsont.Object.mem "name" Jsont.string ~dec_absent:"" ~enc:(fun u -> u.name) 518 523 |> Jsont.Object.mem "avatar_url" Jsont.string ~dec_absent:"" ~enc:(fun u -> 519 524 u.avatar_url)
+7 -5
lib/oauth.mli
··· 298 298 [None]; the verified primary email requires {!parse_github_emails} 299 299 with [GET /user/emails]. *) 300 300 email_verified : bool; 301 - (** Whether the provider asserts this email is verified. [true] for Google 302 - when [email_verified = true] in the OIDC response, and for emails 303 - obtained via {!parse_github_emails}. [false] for all other cases 304 - including GitLab and custom providers (where verification status is 305 - unknown). Do not use [email] for authentication decisions unless 301 + (** Whether the provider asserts this email is verified. 302 + - Google: [true] when [email_verified = true] in the OIDC response. 303 + - GitHub: [true] for emails obtained via {!parse_github_emails}. 304 + - GitLab: [true] when [confirmed_at] is present in the user response. 305 + - Custom: always [false] (verification status unknown). 306 + 307 + Do not use [email] for authentication decisions unless 306 308 [email_verified] is [true]. *) 307 309 name : string; (** Display name (may be empty). *) 308 310 avatar_url : string; (** Avatar URL (may be empty). *)