github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-04-25 15:54:26 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: If only one auth provider is enabled allow GET request

Browse Source 
In this case, the auth provider is acting as a SSO provider, and can be trusted to maintain its own CSRF protections.
This commit is contained in:
David Taylor 2019-08-09 14:44:03 +01:00
parent d348368ab6
commit 1a8fee11a0
3 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/initializers/009-omniauth.rb
View File

@ -7,4 +7,3 @@ require "middleware/omniauth_bypass_middleware"
Rails.application.config.middleware.use Middleware::OmniauthBypassMiddleware Rails.application.config.middleware.use Middleware::OmniauthBypassMiddleware
OmniAuth.config.logger = Rails.logger OmniAuth.config.logger = Rails.logger
OmniAuth.config.allowed_request_methods = [:post]

11
lib/middleware/omniauth_bypass_middleware.rb
View File

@ -22,8 +22,10 @@ class Middleware::OmniauthBypassMiddleware
end end
@omniauth.before_request_phase do |env| @omniauth.before_request_phase do |env|
# Check for CSRF token request = ActionDispatch::Request.new(env)
CSRFTokenVerifier.new.call(env)
# Check for CSRF token in POST requests
CSRFTokenVerifier.new.call(env) if request.request_method.downcase.to_sym != :get
# Check whether the authenticator is enabled # Check whether the authenticator is enabled
if !Discourse.enabled_authenticators.any? { |a| a.name == env['omniauth.strategy'].name } if !Discourse.enabled_authenticators.any? { |a| a.name == env['omniauth.strategy'].name }
@ -31,7 +33,6 @@ class Middleware::OmniauthBypassMiddleware
end end
# If the user is trying to reconnect to an existing account, store in session # If the user is trying to reconnect to an existing account, store in session
request = ActionDispatch::Request.new(env)
request.session[:auth_reconnect] = !!request.params["reconnect"] request.session[:auth_reconnect] = !!request.params["reconnect"]
end end
end end
@ -39,6 +40,10 @@ class Middleware::OmniauthBypassMiddleware
def call(env) def call(env)
if env["PATH_INFO"].start_with?("/auth") if env["PATH_INFO"].start_with?("/auth")
begin begin
# When only one provider is enabled, assume it can be completely trusted, and allow GET requests
only_one_provider = !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
OmniAuth.config.allowed_request_methods = only_one_provider ? [:get, :post] : [:post]
@omniauth.call(env) @omniauth.call(env)
rescue AuthenticatorDisabled => e rescue AuthenticatorDisabled => e
# Authenticator is disabled, pretend it doesn't exist and pass request to app # Authenticator is disabled, pretend it doesn't exist and pass request to app

8
spec/requests/omniauth_callbacks_controller_spec.rb
View File

@ -146,6 +146,14 @@ RSpec.describe Users::OmniauthCallbacksController do
post "/auth/google_oauth2", params: { authenticity_token: token } post "/auth/google_oauth2", params: { authenticity_token: token }
expect(response.status).to eq(302) expect(response.status).to eq(302)
end end
it "should not be CSRF protected if it is the only auth method" do
get "/auth/google_oauth2"
expect(response.status).to eq(200)
SiteSetting.enable_local_logins = false
get "/auth/google_oauth2"
expect(response.status).to eq(302)
end
end end
end end