New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding authenticity token so session will persist #674
Conversation
When using the developer login strategy sessions are not being persisted in Rails 4.0.0.beta1 because the authenticity token is not present when submitting the form. By adding the CSRF token to the form as a hidden field, it can be verified, and sessions work properly.
Not sure how I feel about adding Rails-specific behavior to the form. @mbleigh What are your thoughts about this? |
@sferik I sort of felt the same way writing it, but by the time I figured out what the actual issue was, I just wanted to get it working. 😀 I think another solution is to just add |
Added to FAQ. Thanks! |
How about, instead, we make the CSRF token retrieval a |
Damn. Closed this as I was typing out my response. |
@joshjordan While that's certainly a good option, I'm worried about adding Rails-specific functionality. Any thoughts @sferik? |
What @joshjordan has proposed sounds reasonable to me but I’d need to see the code before I 👍. |
Hey @sferic and @beerlington, I was running into this problem today with omniauth-identity and think I found a solution that requires zero changes in Omniauth code: It looks to me like the culprit is the default NullSession forgery protection scheme. I changed that in the application controller and everything worked well: class ApplicationController < ActionController::Base
protect_from_forgery with: :reset_session
.... I'm still reading the docs and code on ActionController::RequestForgeryProtection::ProtectionMethods::ResetSession, but this looks like it might solve my problems and relate to @beerlington 's. If this looks good to you, I'd be glad to turn it into a pull request to the omniauth-identity readme. |
I ran into this issue today while adding OmniAuth to a Rails 4.1.1 app, using the class SessionsController < ApplicationController
skip_before_filter :verify_authenticity_token
def create
@user = User.find_or_create_from_auth_hash(auth_hash)
self.current_user = @user
redirect_to '/'
end
protected
def auth_hash
request.env['omniauth.auth']
end
end Considering the What do you think? |
a5c7282
to
76feeea
Compare
I agree that this doesn't need to be addressed in this gem. For clarification of the security concerns: I had this same problem trying to implement a password grant flow omniauth strategy. The request phase in this flow is just a form (in the client) that gathers the password from the user and submits to the callback (again in the client). When thinking about whether a CSRF token is really necessary in this form, I realized that the whole purpose of the form is to authenticate the user (they are entering their password on this form). If some forged request has that information (the user's password) to submit from off the site, they've already totally compromised the user's security - a CSRF token isn't going to protect the user from an attacker that already has their password. Therefore I believe that skipping CSRF token verification is the right solution, at least for this particular case. In the case of other grant flows (i.e. authorization code), the request should protected from request forgery using a state parameter, which is specified in the OAuth spec. The omniauth-oauth2 strategy gem implements this for you in the client. In this case, again, I believe Rails' built-in CSRF token verification would be redundant (if it even worked), and can therefore be skipped, as recommended above ( |
hey @mltsy would you please start a new issue and ref this one if it's pertinent. |
Sorry, I was just verifying that this doesn't need to be fixed (with justifications of the workaround for various cases, for people who find this issue as I did) - I should have led with that 😉 I'll update my comment! |
This fixes issue #670
When using the developer login strategy sessions are not being persisted
in Rails 4.0.0.beta1 because the authenticity token is not present when
submitting the form. By adding the CSRF token to the form as a hidden
field, it can be verified, and sessions work properly.