diff options
| author | Douwe Maan <douwe@gitlab.com> | 2015-12-08 14:41:19 +0100 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2015-12-08 14:58:15 +0100 |
| commit | 41a4785b855a082197b3c22004cb8af96e5453ee (patch) | |
| tree | 7c6c06f2f3bc391e49b5f11acfb38474f87e2aa4 | |
| parent | f5430e48b42227f1c1874ca27c6907f0f704be28 (diff) | |
| download | gitlab-ce-fix-omniauth-signin.tar.gz | |
Fix signin with OmniAuth providersfix-omniauth-signin
| -rw-r--r-- | config/initializers/omniauth.rb | 2 | ||||
| -rw-r--r-- | lib/omni_auth/request_forgery_protection.rb | 63 |
2 files changed, 10 insertions, 55 deletions
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 70ed10e8275..4c164119fff 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post] #In case of auto sign-in, the GET method is used (users don't get to click on a button) OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present? OmniAuth.config.before_request_phase do |env| - OmniAuth::RequestForgeryProtection.new(env).call + OmniAuth::RequestForgeryProtection.call(env) end if Gitlab.config.omniauth.enabled diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb index 3557522d3c9..69155131d8d 100644 --- a/lib/omni_auth/request_forgery_protection.rb +++ b/lib/omni_auth/request_forgery_protection.rb @@ -1,66 +1,21 @@ # Protects OmniAuth request phase against CSRF. module OmniAuth - # Based on ActionController::RequestForgeryProtection. - class RequestForgeryProtection - def initialize(env) - @env = env - end - - def request - @request ||= ActionDispatch::Request.new(@env) - end - - def session - request.session - end - - def reset_session - request.reset_session - end - - def params - request.params - end - - def call - verify_authenticity_token - end + module RequestForgeryProtection + class Controller < ActionController::Base + protect_from_forgery with: :exception - def verify_authenticity_token - if !verified_request? - Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger - handle_unverified_request + def index + head :ok end end - private - - def protect_against_forgery? - ApplicationController.allow_forgery_protection - end - - def request_forgery_protection_token - ApplicationController.request_forgery_protection_token - end - - def forgery_protection_strategy - ApplicationController.forgery_protection_strategy - end - - def verified_request? - !protect_against_forgery? || request.get? || request.head? || - form_authenticity_token == params[request_forgery_protection_token] || - form_authenticity_token == request.headers['X-CSRF-Token'] - end - - def handle_unverified_request - forgery_protection_strategy.new(self).handle_unverified_request + def self.app + @app ||= Controller.action(:index) end - # Sets the token value for the current session. - def form_authenticity_token - session[:_csrf_token] ||= SecureRandom.base64(32) + def self.call(env) + app.call(env) end end end |