summaryrefslogtreecommitdiff
path: root/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb
diff options
context:
space:
mode:
Diffstat (limited to 'config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb')
-rw-r--r--config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb28
1 files changed, 4 insertions, 24 deletions
diff --git a/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb b/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb
index 1ede92609a9..c6baae56d3d 100644
--- a/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb
+++ b/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb
@@ -10,31 +10,11 @@
module OmniAuth
module Strategies
class OAuth2
+ alias_method :original_callback_phase, :callback_phase
+
def callback_phase
- error = request.params["error_reason"].presence || request.params["error"].presence
- # Monkey patch #1:
- #
- # Swap the order of these conditions around so the `state` param is verified *first*,
- # before using the error params returned by the provider.
- #
- # This avoids content spoofing attacks by crafting a URL with malicious messages,
- # because the `state` param is only present in the session after a valid OAuth2 authentication flow.
- if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state"))
- fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
- elsif error
- fail!(error, CallbackError.new(request.params["error"], request.params["error_description"].presence || request.params["error_reason"].presence, request.params["error_uri"]))
- else
- self.access_token = build_access_token
- self.access_token = access_token.refresh! if access_token.expired?
- super
- end
- rescue ::OAuth2::Error, CallbackError => e
- fail!(:invalid_credentials, e)
- rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
- fail!(:timeout, e)
- rescue ::SocketError => e
- fail!(:failed_to_connect, e)
- # Monkey patch #2:
+ original_callback_phase
+ # Monkey patch #1:
#
# Also catch errors from Faraday.
# See https://github.com/omniauth/omniauth-oauth2/pull/129
View Lorry Controller Status