From 23e5636dd0c6c6b546d12e05cc7ad4d4c5784fe0 Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@coder.com>
Date: Fri, 29 Apr 2022 15:13:35 -0500
Subject: [PATCH] fix: Use verified and primary email for GitHub signup (#1230)

This was causing a panic due to nil pointer dereference.
It required all users signing up had a public email,
which is an unreasonable requirement!
---
 coderd/userauth.go      | 18 ++++++++++++++++--
 coderd/userauth_test.go |  7 +++++--
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index 087a9adb78..3b6b1f3f37 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -75,7 +75,7 @@ func (api *api) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 	// Search for existing users with matching and verified emails.
 	// If a verified GitHub email matches a Coder user, we will return.
 	for _, email := range emails {
-		if email.Verified == nil {
+		if !email.GetVerified() {
 			continue
 		}
 		user, err = api.Database.GetUserByEmailOrUsername(r.Context(), database.GetUserByEmailOrUsernameParams{
@@ -123,8 +123,22 @@ func (api *api) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 			})
 			return
 		}
+		var verifiedEmail *github.UserEmail
+		for _, email := range emails {
+			if !email.GetPrimary() || !email.GetVerified() {
+				continue
+			}
+			verifiedEmail = email
+			break
+		}
+		if verifiedEmail == nil {
+			httpapi.Write(rw, http.StatusPreconditionRequired, httpapi.Response{
+				Message: "Your primary email must be verified on GitHub!",
+			})
+			return
+		}
 		user, _, err = api.createUser(r.Context(), codersdk.CreateUserRequest{
-			Email:          *ghUser.Email,
+			Email:          *verifiedEmail.Email,
 			Username:       *ghUser.Login,
 			OrganizationID: organizationID,
 		})
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
index b5103b9d2d..19d8b0e4b7 100644
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@@ -142,11 +142,14 @@ func TestUserOAuth2Github(t *testing.T) {
 				AuthenticatedUser: func(ctx context.Context, client *http.Client) (*github.User, error) {
 					return &github.User{
 						Login: github.String("kyle"),
-						Email: github.String("kyle@coder.com"),
 					}, nil
 				},
 				ListEmails: func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error) {
-					return []*github.UserEmail{}, nil
+					return []*github.UserEmail{{
+						Email:    github.String("kyle@coder.com"),
+						Verified: github.Bool(true),
+						Primary:  github.Bool(true),
+					}}, nil
 				},
 			},
 		})