Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store plain Hash in session['authorize_params'] #150

Merged
merged 1 commit into from
Nov 2, 2022
Merged

Store plain Hash in session['authorize_params'] #150

merged 1 commit into from
Nov 2, 2022

Conversation

santry
Copy link
Contributor

@santry santry commented Oct 25, 2022
edited

This PR relates to Auth0 support ticket #01310199.

The params object that gets stored in session['authorize_params'] for token verification is an instance of OmniAuth::Strategy::Options, an eventual subclass of Hashie::Mash. In reality, it's always treated as a regular hash, and none of Hashie::Mash's features are used.

Since values in the session get serialized into a session store (e.g., Redis::Store in our case), this session['authorize_params]' value is getting serialized as an instance of OmniAuth::Strategy::Options. This causes problems when code that doesn't have the
OmniAuth::Strategy::Options class loaded tries to load the session and deserialize its contents. Since this Options class is unknown, the code that's loading the session blows up.

This patch simply gets a regular hash from the params object before storing it in the session. This way, we're just storing a plain Ruby Hash, which is guaranteed to be available by any code that needs to deserialize the session.

Changes

Please describe both what is changing and why this is important. Include:

  • Endpoints added, deleted, deprecated, or changed
  • Classes and methods added, deleted, deprecated, or changed
  • Screenshots of new or changed UI, if applicable
  • A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released)

References

Please include relevant links supporting this change such as a:

  • support ticket
  • community post
  • StackOverflow post
  • support forum thread
  • related GitHub issue in this or another repo

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage
  • This change has been tested on the latest version of the platform/language or why not

Checklist

@santry santry requested a review from a team as a code owner October 25, 2022 03:19
@santry
Store plain Hash in session['authorize_params']
b94bc8f 
The `params` object that gets stored in `session['authorize_params']`
for token verification is an instance of `OmniAuth::Strategy::Options`,
an eventual subclass of `Hashie::Mash`. In reality, it's always treated
as a regular hash, and none of `Hashie::Mash`'s features are used.

Since values in the session get serialized into a session store (e.g.,
`Redis::Store` in our case), this `session['authorize_params]'` value is
getting serialized as an instance of `OmniAuth::Strategy::Options`. This
causes problems when code that doesn't have the
`OmniAuth::Strategy::Options` class loaded tries to load the session and
deserialize its contents. Since this `Options` class is unknown, the
code that's loading the session blows up.

This patch simply gets a regular hash from the `params` object before
storing it in the session. This way, we're just storing a plain Ruby
`Hash`, which is guaranteed to be available by any code that needs to
deserialize the session.
@stevehobbsdev
Copy link
Contributor

Thanks for raising @santry, looks good on the surface. Will review in detail today 👍

@santry
Copy link
Contributor Author

santry commented Nov 1, 2022

Thanks @stevehobbsdev. Let me know if I can be of assistance.

@stevehobbsdev stevehobbsdev merged commit c6c9595 into auth0:master Nov 2, 2022
@santry santry deleted the ss-authorize-params-hash branch November 2, 2022 13:03
@stevehobbsdev
Copy link
Contributor

@santry I don't know why this didn't show as part of this PR's CI run but I'm getting an error with the test you added here: https://app.circleci.com/pipelines/github/auth0/omniauth-auth0/248/workflows/dbd7ab6a-1575-44c5-8576-d39a26d7f9a7/jobs/671

Do you have any idea why this might be failing? It's part of this PR.

@stevehobbsdev stevehobbsdev mentioned this pull request Dec 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@santry @stevehobbsdev