Skip to content

[ENG-10586] BE: Ensure only one ORCID ID is availalble in the UserModel.external_identity attribute #11661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
futa-ikeda merged 5 commits into from
Apr 1, 2026
+31 −6
Merged

[ENG-10586] BE: Ensure only one ORCID ID is availalble in the UserModel.external_identity attribute #11661

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bc73c37
If a user has an existing ORCID ID, and then associates a new ORCID I…
mkovalua Mar 26, 2026
41ad2da
add test to check if orcid is overwritten
mkovalua Mar 27, 2026
58aa808
update literal from 'orcid' to 'ORCID'
mkovalua Mar 30, 2026
a30831e
update tests
mkovalua Mar 30, 2026
7f09471
v1 looks to be used for orcid auth (give the hint with comment)
mkovalua Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions api/users/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -755,7 +755,11 @@ def post(self, request, *args, **kwargs):
# 1. update user oauth, with pending status
external_identity[external_id_provider][external_id] = 'LINK'
if external_id_provider in user.external_identity:
user.external_identity[external_id_provider].update(external_identity[external_id_provider])
# v1 looks to be used because of /confirm/external/ usage for auth but add orcid external identity rewrite updates for v2 as well
if external_id_provider == settings.EXTERNAL_IDENTITY_PROFILE.get('OrcidProfile'):
user.external_identity[external_id_provider] = external_identity[external_id_provider]
else:
user.external_identity[external_id_provider].update(external_identity[external_id_provider])
else:
user.external_identity.update(external_identity)
if not user.accepted_terms_of_service and accepted_terms_of_service:
Expand Down Expand Up @@ -1153,7 +1157,6 @@ class ConfirmEmailView(generics.CreateAPIView):

def _process_external_identity(self, user, external_identity, service_url):
"""Handle all external_identity logic, including task enqueueing and url updates."""

provider = next(iter(external_identity))
if provider not in user.external_identity:
raise ValidationError('External-ID provider mismatch.')
Expand Down
24 changes: 21 additions & 3 deletions api_tests/users/views/test_user_external_login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ def csrf_token(self):
@pytest.fixture()
def session_data(self):
session = SessionStore()
session['auth_user_external_id_provider'] = 'orcid'
session['auth_user_external_id_provider'] = 'ORCID'
session['auth_user_external_id'] = '1234-1234-1234-1234'
session['auth_user_fullname'] = 'external login'
session['auth_user_external_first_login'] = True
Expand All @@ -62,7 +62,7 @@ def test_external_login(self, app, payload, url, session_data, csrf_token):
with capture_notifications():
res = app.post_json_api(url, payload, headers={'X-CSRFToken': csrf_token})
assert res.status_code == 200
assert res.json == {'external_id_provider': 'orcid', 'auth_user_fullname': 'external login'}
assert res.json == {'external_id_provider': 'ORCID', 'auth_user_fullname': 'external login'}
assert not OSFUser.objects.get(username='freddie@mercury.com').is_confirmed

def test_invalid_payload(self, app, url, session_data, csrf_token):
Expand All @@ -84,6 +84,24 @@ def test_existing_user(self, app, payload, url, user_one, session_data, csrf_tok
with capture_notifications():
res = app.post_json_api(url, payload, headers={'X-CSRFToken': csrf_token})
assert res.status_code == 200
assert res.json == {'external_id_provider': 'orcid', 'auth_user_fullname': 'external login'}
assert res.json == {'external_id_provider': 'ORCID', 'auth_user_fullname': 'external login'}
user_one.reload()
assert user_one.username in user_one.unconfirmed_emails

def test_existing_user_orcid_overwrites(self, app, payload, url, user_one, session_data, csrf_token):
user_one.external_identity = {
'ORCID': {
'0000-0000-0000-0000': 'LINK',
}
}
user_one.save()
app.set_cookie(CSRF_COOKIE_NAME, csrf_token)
app.set_cookie(settings.COOKIE_NAME, str(session_data))
assert user_one.external_identity['ORCID'] == {'0000-0000-0000-0000': 'LINK'}
assert '0000-0000-0000-0000' in user_one.external_identity['ORCID']
payload['data']['attributes']['email'] = user_one.username
with capture_notifications():
res = app.post_json_api(url, payload, headers={'X-CSRFToken': csrf_token})
assert res.status_code == 200
user_one.reload()
assert user_one.external_identity['ORCID'] == {'1234-1234-1234-1234': 'LINK'}
6 changes: 5 additions & 1 deletion framework/auth/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1097,7 +1097,11 @@ def external_login_email_post():
# 1. update user oauth, with pending status
external_identity[external_id_provider][external_id] = 'LINK'
if external_id_provider in user.external_identity:
user.external_identity[external_id_provider].update(external_identity[external_id_provider])
# v1 looks to be used because of /confirm/external/ usage for auth but add orcid external identity rewrite updates for v2 as well
if external_id_provider == settings.EXTERNAL_IDENTITY_PROFILE.get('OrcidProfile'):
user.external_identity[external_id_provider] = external_identity[external_id_provider]
else:
user.external_identity[external_id_provider].update(external_identity[external_id_provider])
else:
user.external_identity.update(external_identity)
if not user.accepted_terms_of_service and form.accepted_terms_of_service.data:
Expand Down
Loading