diff options
| author | Imre Farkas <ifarkas@gitlab.com> | 2019-07-22 22:52:43 +0200 |
|---|---|---|
| committer | Imre Farkas <ifarkas@gitlab.com> | 2019-07-25 11:12:19 +0200 |
| commit | 94c92ef655eaa491cc183c1c57e02f87439f9265 (patch) | |
| tree | 8e38104e72d384782dbf21dc6cb7132048cacb25 | |
| parent | 281d329ff4ac7d28f6df7ce646fbbb3d5776f4ad (diff) | |
| download | gitlab-ce-if-64257-warden_set_user_fix.tar.gz | |
Prepend protect_from_forgery before sign_in in SessionsControllerif-64257-warden_set_user_fix
| -rw-r--r-- | app/controllers/sessions_controller.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 7604b31467a..1880bead3ee 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -26,6 +26,17 @@ class SessionsController < Devise::SessionsController after_action :log_failed_login, if: -> { action_name == 'new' && failed_login? } helper_method :captcha_enabled? + # protect_from_forgery is already prepended in ApplicationController but + # authenticate_with_two_factor which signs in the user is prepended before + # that here. + # We need to make sure CSRF token is verified before authenticating the user + # because Devise.clean_up_csrf_token_on_authentication is set to true by + # default to avoid CSRF token fixation attacks. Authenticating the user first + # would cause the CSRF token to be cleared and then + # RequestForgeryProtection#verify_authenticity_token would fail because of + # token mismatch. + protect_from_forgery with: :exception, prepend: true + CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'.freeze def new |