Skip to content

Use verify_authenticity_token directly #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Use verify_authenticity_token directly #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8688c86
Add rails 7.2 and 8.0 to the build matrix
nevans Nov 9, 2024
16d5ec6
Inherit config from ActionController::Base
nevans Sep 24, 2024
dcdf698
Use verify_authenticity_token directly
nevans Sep 24, 2024
68b4ab2
Wrap exception with OmniAuth::AuthenticityError
nevans Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
- ruby: "3.1"
rails: ~> 7.1.0
- ruby: "3.1"
rails: edge
rails: ~> 7.2.0

- ruby: "3.2"
rails: ~> 6.0.0
Expand All @@ -83,6 +83,10 @@ jobs:
rails: ~> 7.0.0
- ruby: "3.2"
rails: ~> 7.1.0
- ruby: "3.2"
rails: ~> 7.2.0
- ruby: "3.2"
rails: ~> 8.0.0
- ruby: "3.2"
rails: edge

Expand All @@ -94,6 +98,10 @@ jobs:
rails: ~> 7.0.0
- ruby: "3.3"
rails: ~> 7.1.0
- ruby: "3.3"
rails: ~> 7.2.0
- ruby: "3.3"
rails: ~> 8.0.0
- ruby: "3.3"
rails: edge

Expand Down
35 changes: 24 additions & 11 deletions lib/omniauth/rails_csrf_protection/token_verifier.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,36 +13,49 @@ module RailsCsrfProtection
# authenticity token, you can find the source code at
# https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L217-L240.
class TokenVerifier
# Inherits config from ActionController::Base.
# Define _before_ including ActionController::RequestForgeryProtection.
def self.config
@_config ||= ActionController::Base.config.inheritable_copy
end

include ActiveSupport::Configurable
include ActionController::RequestForgeryProtection

# `ActionController::RequestForgeryProtection` contains a few
# configurable options. As we want to make sure that our configuration is
# the same as what being set in `ActionController::Base`, we should make
# all out configuration methods to delegate to `ActionController::Base`.
config.each_key do |configuration_name|
undef_method configuration_name
define_method configuration_name do
ActionController::Base.config[configuration_name]
end
end
# our configuration delegate to `ActionController::Base`.
config.each_key do |key| config.delete(key) end

# OmniAuth expects us to raise an exception on auth failure.
self.forgery_protection_strategy = protection_method_class(:exception)

# Logging from ActionController::RequestForgeryProtection is redundant.
# OmniAuth logs basically the same message (from the exception).
self.log_warning_on_csrf_failure = false

def call(env)
dup._call(env)
end

def _call(env)
@request = ActionDispatch::Request.new(env.dup)

unless verified_request?
raise ActionController::InvalidAuthenticityToken
end
verify_authenticity_token
rescue ActionController::ActionControllerError => ex
logger.warn "Attack prevented by #{self.class}"
# wrapped exception:
# * rescued and handled by OmniAuth::Strategy#request_call
# * contains #cause with original exception
raise OmniAuth::AuthenticityError, "[#{ex.class}] #{ex}"
end

private

attr_reader :request
delegate :params, :session, to: :request

delegate :logger, to: OmniAuth
end
end
end