Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF in Rack for callbacks requests #1087

Closed
AlexWayfer opened this issue Sep 15, 2022 · 0 comments · Fixed by #1106
Closed

CSRF in Rack for callbacks requests #1087

AlexWayfer opened this issue Sep 15, 2022 · 0 comments · Fixed by #1106

Comments

@AlexWayfer
Copy link

Please complete all sections.

Configuration

  • Provider Gem: omniauth-developer
  • Ruby Version: 3.1.2
  • Framework: Flame
  • Platform: Arch Linux

Expected Behavior

OmniAuth-Developer form contains CSRF param and passes it to /auth/developer/callback.

Actual Behavior

I see no _csrf param, even when completed setup instructions for compatibility.

Steps to Reproduce

::OmniAuth::AuthenticityTokenProtection.default_options(key: 'csrf.token', authenticity_param: '_csrf')

use Rack::Csrf, raise: true

use OmniAuth::Builder do
	provider :developer
end

Additional info

I've tried allow_if block from #1074, but it seems never called.

The form to authenticate:

<form action="/auth/developer" method="POST">
	<input type="hidden" name="_csrf" value="Bia4XjpqNYzblbtv2TtiYqnsniZIQIHoMZJo5b4eqJI">
	<button type="submit">Connect Developer</button>
</form>

The form from the OmniAuth-Developer provider:

image

Without _csrf param (hidden?) the /callback will be rejected (by Rack::Csrf middleware).
cycomachead added a commit to cycomachead/omniauth that referenced this issue Mar 3, 2023
@cycomachead
Use GET with :developer strategy.
480a2ff 
The changes the default method of the :developer strategy to GET.
It does this by allowing OmniAuth::Form to accept a `:method` option,
which is optional and defaults to 'post', the current behavior.
Because the default behavior remains unchanged, I don't expect this to
introduct any breaking changes.

This allows the developer strategy to work with the directions provided
in the README. Further, it seems that the default action of most
stratigies is to use GET for their callbacks.

Fixes omniauth#1087
Fixes omniauth#1061
Fixes omniauth#957
This was referenced Mar 3, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@AlexWayfer