diff options
author | Douwe Maan <douwe@gitlab.com> | 2015-12-08 14:41:19 +0100 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2015-12-08 14:58:15 +0100 |
commit | 41a4785b855a082197b3c22004cb8af96e5453ee (patch) | |
tree | 7c6c06f2f3bc391e49b5f11acfb38474f87e2aa4 /lib/omni_auth | |
parent | f5430e48b42227f1c1874ca27c6907f0f704be28 (diff) | |
download | gitlab-ce-41a4785b855a082197b3c22004cb8af96e5453ee.tar.gz |
Fix signin with OmniAuth providersfix-omniauth-signin
Diffstat (limited to 'lib/omni_auth')
-rw-r--r-- | lib/omni_auth/request_forgery_protection.rb | 63 |
1 files changed, 9 insertions, 54 deletions
diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb index 3557522d3c9..69155131d8d 100644 --- a/lib/omni_auth/request_forgery_protection.rb +++ b/lib/omni_auth/request_forgery_protection.rb @@ -1,66 +1,21 @@ # Protects OmniAuth request phase against CSRF. module OmniAuth - # Based on ActionController::RequestForgeryProtection. - class RequestForgeryProtection - def initialize(env) - @env = env - end - - def request - @request ||= ActionDispatch::Request.new(@env) - end - - def session - request.session - end - - def reset_session - request.reset_session - end - - def params - request.params - end - - def call - verify_authenticity_token - end + module RequestForgeryProtection + class Controller < ActionController::Base + protect_from_forgery with: :exception - def verify_authenticity_token - if !verified_request? - Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger - handle_unverified_request + def index + head :ok end end - private - - def protect_against_forgery? - ApplicationController.allow_forgery_protection - end - - def request_forgery_protection_token - ApplicationController.request_forgery_protection_token - end - - def forgery_protection_strategy - ApplicationController.forgery_protection_strategy - end - - def verified_request? - !protect_against_forgery? || request.get? || request.head? || - form_authenticity_token == params[request_forgery_protection_token] || - form_authenticity_token == request.headers['X-CSRF-Token'] - end - - def handle_unverified_request - forgery_protection_strategy.new(self).handle_unverified_request + def self.app + @app ||= Controller.action(:index) end - # Sets the token value for the current session. - def form_authenticity_token - session[:_csrf_token] ||= SecureRandom.base64(32) + def self.call(env) + app.call(env) end end end |