Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
41a4785b
Commit
41a4785b
authored
Dec 08, 2015
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix signin with OmniAuth providers
parent
f5430e48
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
10 additions
and
55 deletions
+10
-55
config/initializers/omniauth.rb
config/initializers/omniauth.rb
+1
-1
lib/omni_auth/request_forgery_protection.rb
lib/omni_auth/request_forgery_protection.rb
+9
-54
No files found.
config/initializers/omniauth.rb
View file @
41a4785b
...
...
@@ -16,7 +16,7 @@ OmniAuth.config.allowed_request_methods = [:post]
#In case of auto sign-in, the GET method is used (users don't get to click on a button)
OmniAuth
.
config
.
allowed_request_methods
<<
:get
if
Gitlab
.
config
.
omniauth
.
auto_sign_in_with_provider
.
present?
OmniAuth
.
config
.
before_request_phase
do
|
env
|
OmniAuth
::
RequestForgeryProtection
.
new
(
env
).
call
OmniAuth
::
RequestForgeryProtection
.
call
(
env
)
end
if
Gitlab
.
config
.
omniauth
.
enabled
...
...
lib/omni_auth/request_forgery_protection.rb
View file @
41a4785b
# Protects OmniAuth request phase against CSRF.
module
OmniAuth
# Based on ActionController::RequestForgeryProtection.
class
RequestForgeryProtection
def
initialize
(
env
)
@env
=
env
end
def
request
@request
||=
ActionDispatch
::
Request
.
new
(
@env
)
end
def
session
request
.
session
end
def
reset_session
request
.
reset_session
end
def
params
request
.
params
end
def
call
verify_authenticity_token
end
module
RequestForgeryProtection
class
Controller
<
ActionController
::
Base
protect_from_forgery
with: :exception
def
verify_authenticity_token
if
!
verified_request?
Rails
.
logger
.
warn
"Can't verify CSRF token authenticity"
if
Rails
.
logger
handle_unverified_request
def
index
head
:ok
end
end
private
def
protect_against_forgery?
ApplicationController
.
allow_forgery_protection
end
def
request_forgery_protection_token
ApplicationController
.
request_forgery_protection_token
end
def
forgery_protection_strategy
ApplicationController
.
forgery_protection_strategy
end
def
verified_request?
!
protect_against_forgery?
||
request
.
get?
||
request
.
head?
||
form_authenticity_token
==
params
[
request_forgery_protection_token
]
||
form_authenticity_token
==
request
.
headers
[
'X-CSRF-Token'
]
end
def
handle_unverified_request
forgery_protection_strategy
.
new
(
self
).
handle_unverified_request
def
self
.
app
@app
||=
Controller
.
action
(
:index
)
end
# Sets the token value for the current session.
def
form_authenticity_token
session
[
:_csrf_token
]
||=
SecureRandom
.
base64
(
32
)
def
self
.
call
(
env
)
app
.
call
(
env
)
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment