• James Edwards-Jones's avatar
    Avoid CSRF check on SAML failure endpoint · 6548e01f
    James Edwards-Jones authored
    SAML and OAuth failures should cause a message to be presented, as well
    as logging that an attempt was made. These were incorrectly prevented by
    the CSRF check on POST endpoints such as SAML.
    
    In addition we were using a NullSession forgery protection, which made
    testing more difficult and could have allowed account linking to take
    place if a CSRF was ever needed but not present.
    6548e01f
omniauth_callbacks_controller_spec.rb 6.71 KB