From 571ba5a7feb870b7aa711d5a6fc6d4d53d92a4c5 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Fri, 24 Apr 2015 17:03:18 +0200 Subject: Protect OmniAuth request phase against CSRF. --- lib/omni_auth/request_forgery_protection.rb | 62 +++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 lib/omni_auth/request_forgery_protection.rb (limited to 'lib') diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb new file mode 100644 index 00000000000..cbbb686473c --- /dev/null +++ b/lib/omni_auth/request_forgery_protection.rb @@ -0,0 +1,62 @@ +# Protects OmniAuth request phase against CSRF. + +module OmniAuth + # Based from ActionController::RequestForgeryProtection. + class RequestForgeryProtection + def initialize(env) + @env = env + end + + def request + @request ||= ActionDispatch::Request.new(@env) + end + + def session + request.session + end + + def params + request.params + end + + def call + verify_authenticity_token + end + + def verify_authenticity_token + if !verified_request? + Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger + handle_unverified_request + end + end + + private + + def protect_against_forgery? + ApplicationController.allow_forgery_protection + end + + def request_forgery_protection_token + ApplicationController.request_forgery_protection_token + end + + def forgery_protection_strategy + ApplicationController.forgery_protection_strategy + end + + def verified_request? + !protect_against_forgery? || request.get? || request.head? || + form_authenticity_token == params[request_forgery_protection_token] || + form_authenticity_token == request.headers['X-CSRF-Token'] + end + + def handle_unverified_request + forgery_protection_strategy.new(self).handle_unverified_request + end + + # Sets the token value for the current session. + def form_authenticity_token + session[:_csrf_token] ||= SecureRandom.base64(32) + end + end +end -- cgit v1.2.1 From b17f36f040a18ff6700881c56607ba6df436f652 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Fri, 24 Apr 2015 20:10:32 +0200 Subject: Add reset_session for the :reset_session strategy. --- lib/omni_auth/request_forgery_protection.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb index cbbb686473c..3557522d3c9 100644 --- a/lib/omni_auth/request_forgery_protection.rb +++ b/lib/omni_auth/request_forgery_protection.rb @@ -1,7 +1,7 @@ # Protects OmniAuth request phase against CSRF. module OmniAuth - # Based from ActionController::RequestForgeryProtection. + # Based on ActionController::RequestForgeryProtection. class RequestForgeryProtection def initialize(env) @env = env @@ -15,6 +15,10 @@ module OmniAuth request.session end + def reset_session + request.reset_session + end + def params request.params end -- cgit v1.2.1