github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 08:07:19 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Add CSRF protections to OpenID callback

Browse Source
This commit is contained in:
David Taylor
2018-11-02 23:49:00 +00:00
parent ae9eddb002
commit a84b6b6b0c
1 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
lib/auth/open_id_authenticator.rb
View File

@ -82,12 +82,25 @@ class Auth::OpenIdAuthenticator < Auth::Authenticator
def register_middleware(omniauth) def register_middleware(omniauth)
omniauth.provider :open_id, omniauth.provider :open_id,
setup: lambda { |env| setup: lambda { |env|
strategy = env["omniauth.strategy"] strategy = env["omniauth.strategy"]
strategy.options[:store] = OpenID::Store::Redis.new($redis) strategy.options[:store] = OpenID::Store::Redis.new($redis)
},
name: name, # Add CSRF protection in addition to OpenID Specification
identifier: identifier, def strategy.query_string
require: "omniauth-openid" session["omniauth.state"] = state = SecureRandom.hex(24)
"?state=#{state}"
end
def strategy.callback_phase
stored_state = session.delete("omniauth.state")
provided_state = request.params["state"]
return fail!(:invalid_credentials) unless provided_state == stored_state
super
end
},
name: name,
identifier: identifier,
require: "omniauth-openid"
end end
end end