From 39b6a42d43b96cf41ee110406c4dd1b7ffc565b7 Mon Sep 17 00:00:00 2001
From: Daryl Finlay <djfinlay@users.noreply.github.com>
Date: Thu, 11 Jul 2019 15:18:36 +0100
Subject: [PATCH] Mark option to skip verified email check as insecure

---
 options.go | 72 +++++++++++++++++++++++++++---------------------------
 1 file changed, 36 insertions(+), 36 deletions(-)

diff --git a/options.go b/options.go
index 3cd6e3a..7436d85 100644
--- a/options.go
+++ b/options.go
@@ -79,18 +79,18 @@ type Options struct {
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
-	Provider                 string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"`
-	OIDCIssuerURL            string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"`
-	OIDCAllowUnverifiedEmail bool   `flag:"oidc-allow-unverified-email" cfg:"oidc_allow_unverified_email" env:"OAUTH2_PROXY_OIDC_ALLOW_UNVERIFIED_EMAIL"`
-	SkipOIDCDiscovery        bool   `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"`
-	OIDCJwksURL              string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"`
-	LoginURL                 string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"`
-	RedeemURL                string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"`
-	ProfileURL               string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"`
-	ProtectedResource        string `flag:"resource" cfg:"resource" env:"OAUTH2_PROXY_RESOURCE"`
-	ValidateURL              string `flag:"validate-url" cfg:"validate_url" env:"OAUTH2_PROXY_VALIDATE_URL"`
-	Scope                    string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
-	ApprovalPrompt           string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"`
+	Provider                         string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"`
+	OIDCIssuerURL                    string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"`
+	InsecureOIDCAllowUnverifiedEmail bool   `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email" env:"OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL"`
+	SkipOIDCDiscovery                bool   `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"`
+	OIDCJwksURL                      string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"`
+	LoginURL                         string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"`
+	RedeemURL                        string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"`
+	ProfileURL                       string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"`
+	ProtectedResource                string `flag:"resource" cfg:"resource" env:"OAUTH2_PROXY_RESOURCE"`
+	ValidateURL                      string `flag:"validate-url" cfg:"validate_url" env:"OAUTH2_PROXY_VALIDATE_URL"`
+	Scope                            string `flag:"scope" cfg:"scope" env:"OAUTH2_PROXY_SCOPE"`
+	ApprovalPrompt                   string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"`
 
 	// Configuration values for logging
 	LoggingFilename       string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_LOGGING_FILENAME"`
@@ -148,29 +148,29 @@ func NewOptions() *Options {
 		SessionOptions: options.SessionOptions{
 			Type: "cookie",
 		},
-		SetXAuthRequest:          false,
-		SkipAuthPreflight:        false,
-		PassBasicAuth:            true,
-		PassUserHeaders:          true,
-		PassAccessToken:          false,
-		PassHostHeader:           true,
-		SetAuthorization:         false,
-		PassAuthorization:        false,
-		ApprovalPrompt:           "force",
-		OIDCAllowUnverifiedEmail: false,
-		SkipOIDCDiscovery:        false,
-		LoggingFilename:          "",
-		LoggingMaxSize:           100,
-		LoggingMaxAge:            7,
-		LoggingMaxBackups:        0,
-		LoggingLocalTime:         true,
-		LoggingCompress:          false,
-		StandardLogging:          true,
-		StandardLoggingFormat:    logger.DefaultStandardLoggingFormat,
-		RequestLogging:           true,
-		RequestLoggingFormat:     logger.DefaultRequestLoggingFormat,
-		AuthLogging:              true,
-		AuthLoggingFormat:        logger.DefaultAuthLoggingFormat,
+		SetXAuthRequest:                  false,
+		SkipAuthPreflight:                false,
+		PassBasicAuth:                    true,
+		PassUserHeaders:                  true,
+		PassAccessToken:                  false,
+		PassHostHeader:                   true,
+		SetAuthorization:                 false,
+		PassAuthorization:                false,
+		ApprovalPrompt:                   "force",
+		InsecureOIDCAllowUnverifiedEmail: false,
+		SkipOIDCDiscovery:                false,
+		LoggingFilename:                  "",
+		LoggingMaxSize:                   100,
+		LoggingMaxAge:                    7,
+		LoggingMaxBackups:                0,
+		LoggingLocalTime:                 true,
+		LoggingCompress:                  false,
+		StandardLogging:                  true,
+		StandardLoggingFormat:            logger.DefaultStandardLoggingFormat,
+		RequestLogging:                   true,
+		RequestLoggingFormat:             logger.DefaultRequestLoggingFormat,
+		AuthLogging:                      true,
+		AuthLoggingFormat:                logger.DefaultAuthLoggingFormat,
 	}
 }
 
@@ -399,7 +399,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 			}
 		}
 	case *providers.OIDCProvider:
-		p.AllowUnverifiedEmail = o.OIDCAllowUnverifiedEmail
+		p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
 		if o.oidcVerifier == nil {
 			msgs = append(msgs, "oidc provider requires an oidc issuer URL")
 		} else {