Merge branch 'fix-omniauth-signin' into 'master'

Fix signin with OmniAuth providers OmniAuth CSRF protection was broken with the move to Rails 4.2 since the CSRF logic in Rails changed. This new implementation calls out to Rails instead of copying its code, which is far easier to maintain. See merge request !2019

Merge branch 'fix-omniauth-signin' into 'master'
Fix signin with OmniAuth providers OmniAuth CSRF protection was broken with the move to Rails 4.2 since the CSRF logic in Rails changed. This new implementation calls out to Rails instead of copying its code, which is far easier to maintain. See merge request !2019
4cd259e9 · Robert Speicher · 792f2bbe · 41a4785b · 4cd259e9 · 4cd259e9
Commit 4cd259e9 authored Dec 08, 2015 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 55 deletions

config/initializers/omniauth.rb config/initializers/omniauth.rb +1 -1

lib/omni_auth/request_forgery_protection.rb lib/omni_auth/request_forgery_protection.rb +9 -54

No files found.
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
 #In case of auto sign-in, the GET method is used (users don't get to click on a button)
 OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
 OmniAuth.config.before_request_phase do |env|
-  OmniAuth::RequestForgeryProtection.new(env).call
+  OmniAuth::RequestForgeryProtection.call(env)
 end
 if Gitlab.config.omniauth.enabled

--- a/lib/omni_auth/request_forgery_protection.rb
+++ b/lib/omni_auth/request_forgery_protection.rb
 # Protects OmniAuth request phase against CSRF.
 module OmniAuth
-  # Based on ActionController::RequestForgeryProtection.
+  module RequestForgeryProtection
-  class RequestForgeryProtection
+    class Controller < ActionController::Base
-    def initialize(env)
+      protect_from_forgery with: :exception
-      @env = env
-    end
-    def request
-      @request ||= ActionDispatch::Request.new(@env)
-    end
-    def session
-      request.session
-    end
-    def reset_session
-      request.reset_session
-    end
-    def params
-      request.params
-    end
-    def call
-      verify_authenticity_token
-    end
-    def verify_authenticity_token
+      def index
-      if !verified_request?
+        head :ok
-        Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
-        handle_unverified_request
      end
    end
-    private
+    def self.app
+      @app ||= Controller.action(:index)
-    def protect_against_forgery?
-      ApplicationController.allow_forgery_protection
-    end
-    def request_forgery_protection_token
-      ApplicationController.request_forgery_protection_token
-    end
-    def forgery_protection_strategy
-      ApplicationController.forgery_protection_strategy
-    end
-    def verified_request?
-      !protect_against_forgery? || request.get? || request.head? ||
-        form_authenticity_token == params[request_forgery_protection_token] ||
-        form_authenticity_token == request.headers['X-CSRF-Token']
-    end
-    def handle_unverified_request
-      forgery_protection_strategy.new(self).handle_unverified_request
    end
-    # Sets the token value for the current session.
+    def self.call(env)
-    def form_authenticity_token
+      app.call(env)
-      session[:_csrf_token] ||= SecureRandom.base64(32)
    end
  end
 end