diff options
| author | Robert Speicher <robert@gitlab.com> | 2015-12-08 15:32:24 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2015-12-08 15:32:24 +0000 |
| commit | 4cd259e91dd54cda479d114210c6b7dc9113a5cc (patch) | |
| tree | 23dc2bfceb56c5731b94e79d389262e4c37f2ebf | |
| parent | 792f2bbe0b306bda266dfc817edf33b4c9e36a0f (diff) | |
| parent | 41a4785b855a082197b3c22004cb8af96e5453ee (diff) | |
| download | gitlab-ce-4cd259e91dd54cda479d114210c6b7dc9113a5cc.tar.gz | |
Merge branch 'fix-omniauth-signin' into 'master'
Fix signin with OmniAuth providers
OmniAuth CSRF protection was broken with the move to Rails 4.2 since
the CSRF logic in Rails changed.
This new implementation calls out to Rails instead of copying its code,
which is far easier to maintain.
See merge request !2019
| -rw-r--r-- | config/initializers/omniauth.rb | 2 | ||||
| -rw-r--r-- | lib/omni_auth/request_forgery_protection.rb | 63 |
2 files changed, 10 insertions, 55 deletions
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 70ed10e8275..4c164119fff 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post] #In case of auto sign-in, the GET method is used (users don't get to click on a button) OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present? OmniAuth.config.before_request_phase do |env| - OmniAuth::RequestForgeryProtection.new(env).call + OmniAuth::RequestForgeryProtection.call(env) end if Gitlab.config.omniauth.enabled diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb index 3557522d3c9..69155131d8d 100644 --- a/lib/omni_auth/request_forgery_protection.rb +++ b/lib/omni_auth/request_forgery_protection.rb @@ -1,66 +1,21 @@ # Protects OmniAuth request phase against CSRF. module OmniAuth - # Based on ActionController::RequestForgeryProtection. - class RequestForgeryProtection - def initialize(env) - @env = env - end - - def request - @request ||= ActionDispatch::Request.new(@env) - end - - def session - request.session - end - - def reset_session - request.reset_session - end - - def params - request.params - end - - def call - verify_authenticity_token - end + module RequestForgeryProtection + class Controller < ActionController::Base + protect_from_forgery with: :exception - def verify_authenticity_token - if !verified_request? - Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger - handle_unverified_request + def index + head :ok end end - private - - def protect_against_forgery? - ApplicationController.allow_forgery_protection - end - - def request_forgery_protection_token - ApplicationController.request_forgery_protection_token - end - - def forgery_protection_strategy - ApplicationController.forgery_protection_strategy - end - - def verified_request? - !protect_against_forgery? || request.get? || request.head? || - form_authenticity_token == params[request_forgery_protection_token] || - form_authenticity_token == request.headers['X-CSRF-Token'] - end - - def handle_unverified_request - forgery_protection_strategy.new(self).handle_unverified_request + def self.app + @app ||= Controller.action(:index) end - # Sets the token value for the current session. - def form_authenticity_token - session[:_csrf_token] ||= SecureRandom.base64(32) + def self.call(env) + app.call(env) end end end |