github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-29 01:31:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: Allow admins to opt-in to seamless redirects on /auth/* (#31235)

Browse Source 
By default, when multiple login providers are enabled, Discourse
requires user interaction before triggering an external auth flow. This
is defense-in-depth against "Login CSRF" attacks.

This commit introduces a setting to control this behavior, so that it
can be disabled when admins fully trust the downstream systems, and need
an interaction-free login flow on a site with multiple login providers.

Default behavior remains unchanged.
This commit is contained in:
David Taylor
2025-02-07 11:43:39 +00:00
committed by GitHub
parent 117027a40a
commit 6b6b31a97f
4 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/middleware/omniauth_bypass_middleware.rb
View File

@ -31,7 +31,10 @@ class Middleware::OmniauthBypassMiddleware
# When only one provider is enabled, assume it can be completely trusted, and allow GET requests
only_one_provider =
!SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
OmniAuth.config.allowed_request_methods = only_one_provider ? %i[get post] : [:post]
allow_get = only_one_provider || !SiteSetting.auth_require_interaction
OmniAuth.config.allowed_request_methods = allow_get ? %i[get post] : [:post]
omniauth =
OmniAuth::Builder.new(@app) do