From 929b403d21308cb7843aa474bfba599345b706b4 Mon Sep 17 00:00:00 2001 From: Imre Farkas Date: Fri, 26 Jul 2019 07:05:50 +0000 Subject: Ensure Warden triggers after_authentication callback By not triggering the callback: - ActiveSession lookup keys are not cleaned - Devise also misses its hook related to session cleanup --- app/controllers/sessions_controller.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'app/controllers/sessions_controller.rb') diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 7604b31467a..1880bead3ee 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -26,6 +26,17 @@ class SessionsController < Devise::SessionsController after_action :log_failed_login, if: -> { action_name == 'new' && failed_login? } helper_method :captcha_enabled? + # protect_from_forgery is already prepended in ApplicationController but + # authenticate_with_two_factor which signs in the user is prepended before + # that here. + # We need to make sure CSRF token is verified before authenticating the user + # because Devise.clean_up_csrf_token_on_authentication is set to true by + # default to avoid CSRF token fixation attacks. Authenticating the user first + # would cause the CSRF token to be cleared and then + # RequestForgeryProtection#verify_authenticity_token would fail because of + # token mismatch. + protect_from_forgery with: :exception, prepend: true + CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'.freeze def new -- cgit v1.2.1