GitHub App: block GH app users to re-connect to old OAuth app (#12175)

stsewd · web-flow · commit 8d6a42c0caf4 · 2025-05-20T10:03:01.000-05:00
This prevents users already using the new GH app from creating another
account by mistake with the old app.
diff --git a/readthedocs/core/adapters.py b/readthedocs/core/adapters.py
@@ -64,6 +64,7 @@ def save_user(self, request, user, form, commit=True):
 class SocialAccountAdapter(DefaultSocialAccountAdapter):
     def pre_social_login(self, request, sociallogin):
         self._filter_email_addresses(sociallogin)
+        self._block_use_of_old_github_oauth_app(request, sociallogin)
         self._connect_github_app_to_existing_github_account(request, sociallogin)
 
     def _filter_email_addresses(self, sociallogin):
@@ -134,3 +135,42 @@ def _can_use_github_app(self, user):
         Only staff users can use the GitHub App for now.
         """
         return user.is_staff
+
+    def _block_use_of_old_github_oauth_app(self, request, sociallogin):
+        """
+        Block the use of the old GitHub OAuth app if the user is already using the new GitHub App.
+
+        This is a temporary measure to block the use of the old GitHub OAuth app
+        until we switch our login to always use the new GitHub App.
+
+        If the user has its account still connected to the old GitHub OAuth app,
+        we allow them to use it, since there is no difference between using the two apps
+        for logging in.
+        """
+        provider = sociallogin.account.get_provider()
+
+        # If the provider is not GitHub, nothing to do.
+        if provider.id != GitHubProvider.id:
+            return
+
+        # If the user is still using the old GitHub OAuth app, nothing to do.
+        if sociallogin.is_existing:
+            return
+
+        has_gh_app_social_account = SocialAccount.objects.filter(
+            provider=GitHubAppProvider.id,
+            uid=sociallogin.account.uid,
+        ).exists()
+
+        # If there is no existing GitHub App account, nothing to do.
+        if not has_gh_app_social_account:
+            return
+
+        # Show a warning to the user and redirect them to the GitHub App login page.
+        messages.warning(
+            request,
+            "You already migrated from our old GitHub OAuth app. "
+            "Click below to sign in with the new GitHub App.",
+        )
+        url = reverse("githubapp_login")
+        raise ImmediateHttpResponse(HttpResponseRedirect(url))
diff --git a/readthedocs/core/tests/test_adapters.py b/readthedocs/core/tests/test_adapters.py
@@ -172,3 +172,60 @@ def test_allow_existing_githubapp_accounts_to_login(self):
         self.user.save()
         assert self.user.is_staff
         self.adapter.pre_social_login(request, sociallogin)
+
+    def test_dont_allow_using_old_github_app(self):
+        github_app_account = get(
+            SocialAccount,
+            provider=GitHubAppProvider.id,
+            uid="1234",
+            user=self.user,
+        )
+
+        request = mock.MagicMock(user=AnonymousUser())
+        sociallogin = SocialLogin(
+            user=User(email="me@example.com"),
+            account=SocialAccount(
+                provider=GitHubProvider.id, uid=github_app_account.uid
+            ),
+        )
+        with self.assertRaises(ImmediateHttpResponse) as exc:
+            self.adapter.pre_social_login(request, sociallogin)
+
+        assert self.user.socialaccount_set.filter(
+            provider=GitHubAppProvider.id
+        ).exists()
+        assert not self.user.socialaccount_set.filter(
+            provider=GitHubProvider.id
+        ).exists()
+
+        response = exc.exception.response
+        assert response.status_code == 302
+        assert response.url == "/accounts/githubapp/login/"
+
+    def test_allow_using_old_github_app(self):
+        get(
+            SocialAccount,
+            provider=GitHubAppProvider.id,
+            uid="1234",
+            user=self.user,
+        )
+        github_account = get(
+            SocialAccount,
+            provider=GitHubProvider.id,
+            uid="1234",
+            user=self.user,
+        )
+
+        request = mock.MagicMock(user=AnonymousUser())
+        sociallogin = SocialLogin(
+            user=self.user,
+            account=github_account,
+        )
+        self.adapter.pre_social_login(request, sociallogin)
+
+        assert self.user.socialaccount_set.filter(
+            provider=GitHubAppProvider.id
+        ).exists()
+        assert self.user.socialaccount_set.filter(
+            provider=GitHubProvider.id
+        ).exists()
