Fix signin with OmniAuth providers

41a4785b · Douwe Maan · f5430e48 · 41a4785b · 41a4785b
Commit 41a4785b authored Dec 08, 2015 by Douwe Maan
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 55 deletions

config/initializers/omniauth.rb config/initializers/omniauth.rb +1 -1

lib/omni_auth/request_forgery_protection.rb lib/omni_auth/request_forgery_protection.rb +9 -54

No files found.
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
 #In case of auto sign-in, the GET method is used (users don't get to click on a button)
 OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
 OmniAuth.config.before_request_phase do |env|
-  OmniAuth::RequestForgeryProtection.new(env).call
+  OmniAuth::RequestForgeryProtection.call(env)
 end

 if Gitlab.config.omniauth.enabled

--- a/lib/omni_auth/request_forgery_protection.rb
+++ b/lib/omni_auth/request_forgery_protection.rb
 # Protects OmniAuth request phase against CSRF.

 module OmniAuth
-  # Based on ActionController::RequestForgeryProtection.
-  class RequestForgeryProtection
-    def initialize(env)
-      @env = env
-    end
-
-    def request
-      @request ||= ActionDispatch::Request.new(@env)
-    end
-
-    def session
-      request.session
-    end
-
-    def reset_session
-      request.reset_session
-    end
-
-    def params
-      request.params
-    end
-
-    def call
-      verify_authenticity_token
-    end
+  module RequestForgeryProtection
+    class Controller < ActionController::Base
+      protect_from_forgery with: :exception

-    def verify_authenticity_token
-      if !verified_request?
-        Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
-        handle_unverified_request
+      def index
+        head :ok
      end
    end

-    private
-
-    def protect_against_forgery?
-      ApplicationController.allow_forgery_protection
-    end
-
-    def request_forgery_protection_token
-      ApplicationController.request_forgery_protection_token
-    end
-
-    def forgery_protection_strategy
-      ApplicationController.forgery_protection_strategy
-    end
-
-    def verified_request?
-      !protect_against_forgery? || request.get? || request.head? ||
-        form_authenticity_token == params[request_forgery_protection_token] ||
-        form_authenticity_token == request.headers['X-CSRF-Token']
-    end
-
-    def handle_unverified_request
-      forgery_protection_strategy.new(self).handle_unverified_request
+    def self.app
+      @app ||= Controller.action(:index)
    end

-    # Sets the token value for the current session.
-    def form_authenticity_token
-      session[:_csrf_token] ||= SecureRandom.base64(32)
+    def self.call(env)
+      app.call(env)
    end
  end
 end