github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 07:55:44 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add CSRF protections to OpenID callback

Browse Source
This commit is contained in:
David Taylor
2018-11-02 23:49:00 +00:00
parent ae9eddb002
commit a84b6b6b0c
1 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/auth/open_id_authenticator.rb
View File

@ -85,6 +85,19 @@ class Auth::OpenIdAuthenticator < Auth::Authenticator
setup: lambda { |env| setup: lambda { |env|
strategy = env["omniauth.strategy"] strategy = env["omniauth.strategy"]
strategy.options[:store] = OpenID::Store::Redis.new($redis) strategy.options[:store] = OpenID::Store::Redis.new($redis)
# Add CSRF protection in addition to OpenID Specification
def strategy.query_string
session["omniauth.state"] = state = SecureRandom.hex(24)
"?state=#{state}"
end
def strategy.callback_phase
stored_state = session.delete("omniauth.state")
provided_state = request.params["state"]
return fail!(:invalid_credentials) unless provided_state == stored_state
super
end
}, },
name: name, name: name,
identifier: identifier, identifier: identifier,