Fix signin with OmniAuth providers
This commit is contained in:
Douwe Maan
parent
f5430e48b4
commit
41a4785b85
|
|
@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
|
||||||
#In case of auto sign-in, the GET method is used (users don't get to click on a button)
|
#In case of auto sign-in, the GET method is used (users don't get to click on a button)
|
||||||
OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
|
OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present?
|
||||||
OmniAuth.config.before_request_phase do |env|
|
OmniAuth.config.before_request_phase do |env|
|
||||||
OmniAuth::RequestForgeryProtection.new(env).call
|
OmniAuth::RequestForgeryProtection.call(env)
|
||||||
end
|
end
|
||||||
|
|
||||||
if Gitlab.config.omniauth.enabled
|
if Gitlab.config.omniauth.enabled
|
||||||
|
|
|
||||||
|
|
@ -1,66 +1,21 @@
|
||||||
# Protects OmniAuth request phase against CSRF.
|
# Protects OmniAuth request phase against CSRF.
|
||||||
|
|
||||||
module OmniAuth
|
module OmniAuth
|
||||||
# Based on ActionController::RequestForgeryProtection.
|
module RequestForgeryProtection
|
||||||
class RequestForgeryProtection
|
class Controller < ActionController::Base
|
||||||
def initialize(env)
|
protect_from_forgery with: :exception
|
||||||
@env = env
|
|
||||||
end
|
|
||||||
|
|
||||||
def request
|
def index
|
||||||
@request ||= ActionDispatch::Request.new(@env)
|
head :ok
|
||||||
end
|
|
||||||
|
|
||||||
def session
|
|
||||||
request.session
|
|
||||||
end
|
|
||||||
|
|
||||||
def reset_session
|
|
||||||
request.reset_session
|
|
||||||
end
|
|
||||||
|
|
||||||
def params
|
|
||||||
request.params
|
|
||||||
end
|
|
||||||
|
|
||||||
def call
|
|
||||||
verify_authenticity_token
|
|
||||||
end
|
|
||||||
|
|
||||||
def verify_authenticity_token
|
|
||||||
if !verified_request?
|
|
||||||
Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
|
|
||||||
handle_unverified_request
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
def self.app
|
||||||
|
@app ||= Controller.action(:index)
|
||||||
def protect_against_forgery?
|
|
||||||
ApplicationController.allow_forgery_protection
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def request_forgery_protection_token
|
def self.call(env)
|
||||||
ApplicationController.request_forgery_protection_token
|
app.call(env)
|
||||||
end
|
|
||||||
|
|
||||||
def forgery_protection_strategy
|
|
||||||
ApplicationController.forgery_protection_strategy
|
|
||||||
end
|
|
||||||
|
|
||||||
def verified_request?
|
|
||||||
!protect_against_forgery? || request.get? || request.head? ||
|
|
||||||
form_authenticity_token == params[request_forgery_protection_token] ||
|
|
||||||
form_authenticity_token == request.headers['X-CSRF-Token']
|
|
||||||
end
|
|
||||||
|
|
||||||
def handle_unverified_request
|
|
||||||
forgery_protection_strategy.new(self).handle_unverified_request
|
|
||||||
end
|
|
||||||
|
|
||||||
# Sets the token value for the current session.
|
|
||||||
def form_authenticity_token
|
|
||||||
session[:_csrf_token] ||= SecureRandom.base64(32)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue