Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Callback is using HTTP GET #39

Closed
pirj opened this issue Sep 23, 2012 · 2 comments
Closed

Callback is using HTTP GET #39

pirj opened this issue Sep 23, 2012 · 2 comments

Comments

@pirj
Copy link

pirj commented Sep 23, 2012

/auth/identity/callback is called using HTTP GET and this has a major downside, since the path is saved in browser history with cleartext password and auth_key.
@pirj
Copy link
Author

pirj commented Oct 13, 2012

Replacing omniauth-identity with hand-made authentication was a matter of half an hour and few lines of code. Now i don't have any autogenerated forms, GET callbacks with plaintext password, extra dependencies.

Consider yanking the gem as completely unusable.

@pboling
Copy link
Member

pboling commented Feb 14, 2021

The requests are made upstream by the core omniauth gem. I think you may be referring to the open CVE on omniauth, which requires app-level modifications to resolve.

In any case, this gem doesn't make requests, omniauth does. Closing.

@pboling pboling closed this as completed Feb 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pirj @pboling