handle github noreply email addresses

ewdurbin · ewdurbin · commit 58af78b88002 · 2025-04-05T07:35:35.000-04:00
diff --git a/cla/events.py b/cla/events.py
@@ -99,6 +99,11 @@ async def handle_pull_request(event, gh, *args, **kwargs):
         signature = await Signature.objects.filter(
             Q(email_address__iexact=author.email) | Q(normalized_email__iexact=normalized_email)
         ).afirst()
+
+        # Look for an existing signature from an un-masked email address
+        if signature is None and author.email.endswith("@users.noreply.github.com"):
+            signature = await Signature.objects.filter(github_login=author.login).afirst()
+
         if signature is None:
             await PendingSignature.objects.aupdate_or_create(
                 agreement=agreement,
diff --git a/clabot/forms.py b/clabot/forms.py
@@ -0,0 +1,13 @@
+from django import forms
+
+
+class SignEmailForm(forms.Form):
+    email = forms.ChoiceField(
+        label="Select an email address for your signature.",
+        help_text=(
+            "Because you are using a GitHub noreply email address, "
+            "we need you to choose one of your verified GitHub verified email addresses "
+            "in order to sign."
+        ),
+        widget=forms.Select,
+    )
diff --git a/clabot/views.py b/clabot/views.py
@@ -11,6 +11,7 @@
 
 from cla.events import handle_pull_request
 from cla.models import Agreement, PendingSignature, Signature
+from clabot.forms import SignEmailForm
 
 
 class HomePageView(TemplateView):
@@ -44,6 +45,16 @@ async def sign(request):
     agreement_id = request.GET.get("agreement_id")
     email_address = request.GET.get("email_address")
 
+    form = None
+    if email_address.endswith("@users.noreply.github.com"):
+        form = SignEmailForm(request.POST or None)
+        _emails = await sync_to_async(request.session.get)("emails", [])
+        form.fields["email"].choices = [("", "---")] + [
+            (e["email"], e["email"])
+            for e in _emails
+            if e["verified"] and not e["email"].endswith("@users.noreply.github.com")
+        ]
+
     pending_signatures = await sync_to_async(list)(
         PendingSignature.objects.filter(
             agreement_id=agreement_id, email_address__iexact=email_address
@@ -62,6 +73,20 @@ async def sign(request):
         return HttpResponseRedirect("/")
 
     if request.method == "POST":
+        if form:
+            if form.is_valid():
+                email_address = form.cleaned_data["email"]
+            else:
+                return render(
+                    request,
+                    "sign.html",
+                    context={
+                        "agreement": markdown.markdown(pending_signatures[0].agreement.document),
+                        "email_address": email_address,
+                        "form": form,
+                    },
+                )
+
         agreement = pending_signatures[0].agreement
         await Signature.objects.acreate(
             agreement=agreement,
@@ -116,5 +141,6 @@ async def sign(request):
         context={
             "agreement": markdown.markdown(pending_signatures[0].agreement.document),
             "email_address": email_address,
+            "form": form,
         },
     )
diff --git a/github_auth/views.py b/github_auth/views.py
@@ -45,17 +45,27 @@ def github_callback(request):
     user_data = requests.get(
         "https://api.github.com/user",
         headers={"Authorization": f'token {client.token["access_token"]}'},
-    )
+    ).json()
     user_email_data = requests.get(
         "https://api.github.com/user/emails",
         headers={"Authorization": f'token {client.token["access_token"]}'},
-    )
+    ).json()
 
-    request.session["username"] = user_data.json()["login"]
-    request.session["emails"] = user_email_data.json()
+    email_username = user_data["login"]
+    email_user_id = user_data["id"]
+    request.session["emails"] = user_email_data + [
+        {
+            "email": f"{email_user_id}+{email_username}@users.noreply.github.com",
+            "verified": True,
+        },
+        {
+            "email": f"{email_username}@users.noreply.github.com",
+            "verified": True,
+        },
+    ]
 
-    request.session["github_login"] = user_data.json()["login"]
-    request.session["github_id"] = user_data.json()["id"]
-    request.session["github_node_id"] = user_data.json()["node_id"]
+    request.session["github_login"] = user_data["login"]
+    request.session["github_id"] = user_data["id"]
+    request.session["github_node_id"] = user_data["node_id"]
 
     return HttpResponseRedirect("/awaiting/")
diff --git a/templates/awaiting_signature.html b/templates/awaiting_signature.html
@@ -28,7 +28,9 @@ <h2>{{ agreement.grouper }}</h2>
           </p>
         {% else %}
           <div class="button-container">
-            <a class="button" href="/sign?agreement_id={{ agreement.grouper.id }}&email_address={{ email.grouper|urlencode }}">Review and Sign</a>
+            <button>
+              <a class="button" href="/sign?agreement_id={{ agreement.grouper.id }}&email_address={{ email.grouper|urlencode }}">Review and Sign</a>
+            </button>
           </div>
         {% endif %}
       {% endfor %}
diff --git a/templates/base.html b/templates/base.html
@@ -22,7 +22,7 @@
       }
       .button-container {
         text-align: center;
-        margin: 3rem auto;
+        margin: 1rem auto;
       }
       .button {
         padding: 1rem;
@@ -36,6 +36,8 @@
       }
       .sign-button {
         font-size: 2rem;
+        padding-top: .5rem;
+        padding-bottom: .5rem;
         padding-left: 3rem;
         padding-right: 3rem;
       }
@@ -48,8 +50,14 @@
         border-radius: .5rem;
         text-align: center;
       }
+      .errorlist {
+        margin-block-start: 0;
+        margin-block-end: 0;
+        color: #9e1b32;
+      }
       button {
         -webkit-appearance: none;
+        margin: 1rem;
         border-radius: 0;
         text-align: inherit;
         background: none;
diff --git a/templates/sign.html b/templates/sign.html
@@ -6,6 +6,16 @@
 
   <form method="POST">
     {% csrf_token %}
+    {% if form %}
+      <p>
+      {{ form.email.label_tag }}
+      {{ form.email }}<br>
+      {% if form.email.errors %}{{ form.email.errors }}{% endif %}
+      {% if form.email.help_text %}
+      <small>{{ form.email.help_text }}</small>
+      {% endif %}
+      </p>
+    {% endif %}
     <div class="button-container">
       <button type="submit" class="button sign-button">Sign</button>
       <p>
