summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config/initializers/omniauth.rb2
-rw-r--r--lib/omni_auth/request_forgery_protection.rb63
2 files changed, 10 insertions, 55 deletions
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 70ed10e8275..4c164119fff 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
#In case of auto sign-in, the GET method is used (users don't get to click on a button)
OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
OmniAuth.config.before_request_phase do |env|
- OmniAuth::RequestForgeryProtection.new(env).call
+ OmniAuth::RequestForgeryProtection.call(env)
end
if Gitlab.config.omniauth.enabled
diff --git a/lib/omni_auth/request_forgery_protection.rb b/lib/omni_auth/request_forgery_protection.rb
index 3557522d3c9..69155131d8d 100644
--- a/lib/omni_auth/request_forgery_protection.rb
+++ b/lib/omni_auth/request_forgery_protection.rb
@@ -1,66 +1,21 @@
# Protects OmniAuth request phase against CSRF.
module OmniAuth
- # Based on ActionController::RequestForgeryProtection.
- class RequestForgeryProtection
- def initialize(env)
- @env = env
- end
-
- def request
- @request ||= ActionDispatch::Request.new(@env)
- end
-
- def session
- request.session
- end
-
- def reset_session
- request.reset_session
- end
-
- def params
- request.params
- end
-
- def call
- verify_authenticity_token
- end
+ module RequestForgeryProtection
+ class Controller < ActionController::Base
+ protect_from_forgery with: :exception
- def verify_authenticity_token
- if !verified_request?
- Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
- handle_unverified_request
+ def index
+ head :ok
end
end
- private
-
- def protect_against_forgery?
- ApplicationController.allow_forgery_protection
- end
-
- def request_forgery_protection_token
- ApplicationController.request_forgery_protection_token
- end
-
- def forgery_protection_strategy
- ApplicationController.forgery_protection_strategy
- end
-
- def verified_request?
- !protect_against_forgery? || request.get? || request.head? ||
- form_authenticity_token == params[request_forgery_protection_token] ||
- form_authenticity_token == request.headers['X-CSRF-Token']
- end
-
- def handle_unverified_request
- forgery_protection_strategy.new(self).handle_unverified_request
+ def self.app
+ @app ||= Controller.action(:index)
end
- # Sets the token value for the current session.
- def form_authenticity_token
- session[:_csrf_token] ||= SecureRandom.base64(32)
+ def self.call(env)
+ app.call(env)
end
end
end