New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use "state" param to mitigate CSRF #18
Conversation
+1 |
By including SecureRandom you're making the library incompatible with Ruby 1.8. Is there a simple way to refactor to be 1.8 compat? I'm fine EOL'ing 1.8 support but I'd rather not do so for a security fix. |
IIRC SecureRandom is included on Ruby 1.8.7. Ruby 1.8.6 would be deprecated. |
Use "state" param to mitigate CSRF
@mbleigh looks like 1.8.7 supports SecureRandom as well
Also, I've tried it with ree-1.8.7-2011.03 (the only one old thing I still have installed) and it works |
This is merged and has been released as |
So, if folks decide to pass a custom state parameter they will forgo the CSRF protection? Unless they actually use it for that purpose (i.e. pass something that is unique and non guessable each time). If that is true, maybe it would be better to add the CSRF token when the user passes a custom state value, then remove it on the callback. So it would be transparent to the user, but makes CSRF fully automated for providers that support the state param. Thoughts? |
It may be not transparent for the user and instead of helping can just break something in his stack. Also, it looks like a babysitting. The one thing is when the state param is absence and we add it, and the other when it's present and we're trying to “improve” it. I'm not going to implement this. |
I'm a bit late to the party, but is the suggestion to use cookie/session vars for handling custom data and params during the oauth the only current way? The Facebook API docs don't seem to support other custom params besides 'state' (I'm guessing it's in the OAuth spec) So, what ways do we have to send data back and forth per one authing? Architecturally using a session store for just per 1 auth trip data does not seem a good place. |
If it's not a good place, then |
I think the session store is great if you've want to keep stuff that relates to the user and his session, but for info that specifically affects 1 roundtrip to the provider and back, it makes IMO a poor place. I'm not talking about sensitive info. For the session store to work with specific roundtrips you'd have to make sure it gets cleaned up after the client returns (if he returns) from the provider and to make sure that one trip's data doesn't get mixed with other concurrent trips. E.g. if people press two "connect" buttons simultaneously. Or am I misimagining how to use the session store for this? One simple concrete example would be tracking which authing happens in a popup window and which not, and based on that render different views. But, you mention overwriting |
@moll can you please post how do you set your |
Or maybe |
This has apparently broken my ability to use this gem. What's going on? |
…itions to omniauth-oauth2 - omniauth/omniauth-oauth2#18
omniauth/omniauth#612