Commit 4cd259e9 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'fix-omniauth-signin' into 'master'

Fix signin with OmniAuth providers

OmniAuth CSRF protection was broken with the move to Rails 4.2 since
the CSRF logic in Rails changed. 

This new implementation calls out to Rails instead of copying its code,
which is far easier to maintain.

See merge request !2019
parents 792f2bbe 41a4785b
...@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post] ...@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
#In case of auto sign-in, the GET method is used (users don't get to click on a button) #In case of auto sign-in, the GET method is used (users don't get to click on a button)
OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present? OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
OmniAuth.config.before_request_phase do |env| OmniAuth.config.before_request_phase do |env|
OmniAuth::RequestForgeryProtection.new(env).call OmniAuth::RequestForgeryProtection.call(env)
end end
if Gitlab.config.omniauth.enabled if Gitlab.config.omniauth.enabled
......
# Protects OmniAuth request phase against CSRF. # Protects OmniAuth request phase against CSRF.
module OmniAuth module OmniAuth
# Based on ActionController::RequestForgeryProtection. module RequestForgeryProtection
class RequestForgeryProtection class Controller < ActionController::Base
def initialize(env) protect_from_forgery with: :exception
@env = env
end
def request
@request ||= ActionDispatch::Request.new(@env)
end
def session
request.session
end
def reset_session
request.reset_session
end
def params
request.params
end
def call
verify_authenticity_token
end
def verify_authenticity_token
if !verified_request?
Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
handle_unverified_request
end
end
private
def protect_against_forgery? def index
ApplicationController.allow_forgery_protection head :ok
end end
def request_forgery_protection_token
ApplicationController.request_forgery_protection_token
end
def forgery_protection_strategy
ApplicationController.forgery_protection_strategy
end
def verified_request?
!protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end end
def handle_unverified_request def self.app
forgery_protection_strategy.new(self).handle_unverified_request @app ||= Controller.action(:index)
end end
# Sets the token value for the current session. def self.call(env)
def form_authenticity_token app.call(env)
session[:_csrf_token] ||= SecureRandom.base64(32)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment