diff options
author | Imre Farkas <ifarkas@gitlab.com> | 2019-07-26 07:05:50 +0000 |
---|---|---|
committer | James Lopez <james@gitlab.com> | 2019-07-26 07:05:50 +0000 |
commit | 929b403d21308cb7843aa474bfba599345b706b4 (patch) | |
tree | 14238ab87d98381ccc7f140789c4829c926d32bf /app/controllers/sessions_controller.rb | |
parent | 13958668854bc98676d6414c0debaeb4b91a9943 (diff) | |
download | gitlab-ce-929b403d21308cb7843aa474bfba599345b706b4.tar.gz |
Ensure Warden triggers after_authentication callback
By not triggering the callback:
- ActiveSession lookup keys are not cleaned
- Devise also misses its hook related to session cleanup
Diffstat (limited to 'app/controllers/sessions_controller.rb')
-rw-r--r-- | app/controllers/sessions_controller.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 7604b31467a..1880bead3ee 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -26,6 +26,17 @@ class SessionsController < Devise::SessionsController after_action :log_failed_login, if: -> { action_name == 'new' && failed_login? } helper_method :captcha_enabled? + # protect_from_forgery is already prepended in ApplicationController but + # authenticate_with_two_factor which signs in the user is prepended before + # that here. + # We need to make sure CSRF token is verified before authenticating the user + # because Devise.clean_up_csrf_token_on_authentication is set to true by + # default to avoid CSRF token fixation attacks. Authenticating the user first + # would cause the CSRF token to be cleared and then + # RequestForgeryProtection#verify_authenticity_token would fail because of + # token mismatch. + protect_from_forgery with: :exception, prepend: true + CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'.freeze def new |