From: Milan Cvetkovic <mcvetkovic@microsoft.com>
Date: Mon, 27 May 2024 14:40:53 +0000 (+0000)
Subject: Social sign-in: avoid re-authorization in `users_controller#create`
X-Git-Tag: live~602^2
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/15623aa35a9fe77343efd7e67f04d33599a8ce3b?hp=15623aa35a9fe77343efd7e67f04d33599a8ce3b

Social sign-in: avoid re-authorization in `users_controller#create`

It does not add any additional guards against malicious users:

Malicious user may attempt to invoke `POST /users/new` with bogus
values for `auth_provider` and `auth_uid` resulting
with a new account to which user would have a way to login, other than
sending a password reset request.

In some cases, re-authorization would introduce additional
"Please login to your social account", or "Are you sure you want to be logged in"
popup triggered by identity provider.

This PR removes the re-authorization request from `POST /users/new` in authorization flow.
---