Merge branch 'fix-omniauth-signin' into 'master'

Fix signin with OmniAuth providers OmniAuth CSRF protection was broken with the move to Rails 4.2 since the CSRF logic in Rails changed. This new implementation calls out to Rails instead of copying its code, which is far easier to maintain. See merge request !2019

Merge branch 'fix-omniauth-signin' into 'master'
Fix signin with OmniAuth providers OmniAuth CSRF protection was broken with the move to Rails 4.2 since the CSRF logic in Rails changed. This new implementation calls out to Rails instead of copying its code, which is far easier to maintain. See merge request !2019
4cd259e9 · Robert Speicher · 792f2bbe · 41a4785b · 4cd259e9 · 4cd259e9
Commit 4cd259e9 authored Dec 08, 2015 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 55 deletions

config/initializers/omniauth.rb config/initializers/omniauth.rb +1 -1

lib/omni_auth/request_forgery_protection.rb lib/omni_auth/request_forgery_protection.rb +9 -54

No files found.
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
 #In case of auto sign-in, the GET method is used (users don't get to click on a button)
 OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
 OmniAuth.config.before_request_phase do |env|
-  OmniAuth::RequestForgeryProtection.new(env).call
+  OmniAuth::RequestForgeryProtection.call(env)
 end

 if Gitlab.config.omniauth.enabled

--- a/lib/omni_auth/request_forgery_protection.rb
+++ b/lib/omni_auth/request_forgery_protection.rb
 # Protects OmniAuth request phase against CSRF.

 module OmniAuth
-  # Based on ActionController::RequestForgeryProtection.
-  class RequestForgeryProtection
-    def initialize(env)
-      @env = env
-    end
-
-    def request
-      @request ||= ActionDispatch::Request.new(@env)
-    end
-
-    def session
-      request.session
-    end
-
-    def reset_session
-      request.reset_session
-    end
-
-    def params
-      request.params
-    end
-
-    def call
-      verify_authenticity_token
-    end
+  module RequestForgeryProtection
+    class Controller < ActionController::Base
+      protect_from_forgery with: :exception

-    def verify_authenticity_token
-      if !verified_request?
-        Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
-        handle_unverified_request
+      def index
+        head :ok
      end
    end

-    private
-
-    def protect_against_forgery?
-      ApplicationController.allow_forgery_protection
-    end
-
-    def request_forgery_protection_token
-      ApplicationController.request_forgery_protection_token
-    end
-
-    def forgery_protection_strategy
-      ApplicationController.forgery_protection_strategy
-    end
-
-    def verified_request?
-      !protect_against_forgery? || request.get? || request.head? ||
-        form_authenticity_token == params[request_forgery_protection_token] ||
-        form_authenticity_token == request.headers['X-CSRF-Token']
-    end
-
-    def handle_unverified_request
-      forgery_protection_strategy.new(self).handle_unverified_request
+    def self.app
+      @app ||= Controller.action(:index)
    end

-    # Sets the token value for the current session.
-    def form_authenticity_token
-      session[:_csrf_token] ||= SecureRandom.base64(32)
+    def self.call(env)
+      app.call(env)
    end
  end
 end