Reject GoogleOidcProfile with unverified email

b56a74dd · Daniel Gerhardt · 87678184 · b56a74dd
Commit b56a74dd authored 6 years ago by Daniel Gerhardt
--- a/src/main/java/de/thm/arsnova/security/pac4j/OauthUserDetailsService.java
+++ b/src/main/java/de/thm/arsnova/security/pac4j/OauthUserDetailsService.java
@@ -56,6 +56,9 @@ public class OauthUserDetailsService implements AuthenticationUserDetailsService
 		User user;
 		if (token.getDetails() instanceof GoogleOidcProfile) {
 			final GoogleOidcProfile profile = (GoogleOidcProfile) token.getDetails();
+			if (!profile.getEmailVerified()) {
+				throw new IllegalArgumentException("Email is not verified.");
+			}
 			user = userService.loadUser(UserProfile.AuthProvider.GOOGLE, profile.getEmail(),
 					grantedAuthorities, true);
 		} else if (token.getDetails() instanceof TwitterProfile) {