Commit 4cd259e9 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'fix-omniauth-signin' into 'master'

Fix signin with OmniAuth providers

OmniAuth CSRF protection was broken with the move to Rails 4.2 since
the CSRF logic in Rails changed. 

This new implementation calls out to Rails instead of copying its code,
which is far easier to maintain.

See merge request !2019
parents 792f2bbe 41a4785b
......@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
#In case of auto sign-in, the GET method is used (users don't get to click on a button)
OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
OmniAuth.config.before_request_phase do |env|
OmniAuth::RequestForgeryProtection.new(env).call
OmniAuth::RequestForgeryProtection.call(env)
end
if Gitlab.config.omniauth.enabled
......
# Protects OmniAuth request phase against CSRF.
module OmniAuth
# Based on ActionController::RequestForgeryProtection.
class RequestForgeryProtection
def initialize(env)
@env = env
end
def request
@request ||= ActionDispatch::Request.new(@env)
end
def session
request.session
end
def reset_session
request.reset_session
end
def params
request.params
end
def call
verify_authenticity_token
end
def verify_authenticity_token
if !verified_request?
Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
handle_unverified_request
end
end
private
module RequestForgeryProtection
class Controller < ActionController::Base
protect_from_forgery with: :exception
def protect_against_forgery?
ApplicationController.allow_forgery_protection
def index
head :ok
end
def request_forgery_protection_token
ApplicationController.request_forgery_protection_token
end
def forgery_protection_strategy
ApplicationController.forgery_protection_strategy
end
def verified_request?
!protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end
def handle_unverified_request
forgery_protection_strategy.new(self).handle_unverified_request
def self.app
@app ||= Controller.action(:index)
end
# Sets the token value for the current session.
def form_authenticity_token
session[:_csrf_token] ||= SecureRandom.base64(32)
def self.call(env)
app.call(env)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment