DEV: Update to OmniAuth 2.0 (#25707)

2025-05-22 07:53:49 +08:00 · 2025-02-11 11:18:07 +00:00
parent a4d34d60e3
commit beb8dc75e9
3 changed files with 88 additions and 61 deletions
--- a/lib/middleware/omniauth_bypass_middleware.rb
+++ b/lib/middleware/omniauth_bypass_middleware.rb
@ -1,70 +1,54 @@
 # frozen_string_literal: true

-require "csrf_token_verifier"
-
 # omniauth loves spending lots cycles in its magic middleware stack
 # this middleware bypasses omniauth middleware and only hits it when needed
 class Middleware::OmniauthBypassMiddleware
-  class AuthenticatorDisabled < StandardError
+  module OmniAuthStrategyCompatPatch
+    def callback_url
+      result = super
+      if script_name.present? && result.include?("#{script_name}#{script_name}")
+        result = result.gsub("#{script_name}#{script_name}", script_name)
+        Discourse.deprecate <<~MESSAGE
+          OmniAuth strategy '#{name}' included duplicate script_name in callback url. It's likely the callback_url method is concatenating `script_name` with `callback_path`.
+          OmniAuth v2 includes the `script_name` in the `callback_path` automatically, so the manual `script_name` call can be removed.
+          This issue has been automatically corrected, but the strategy should be updated to ensure subfolder compatibility with future versions of Discourse.
+        MESSAGE
+      end
+      result
+    end
+  end
+
+  class PatchedOmniAuthBuilder < OmniAuth::Builder
+    def use(strategy, *args, **kwargs, &block)
+      if !strategy.ancestors.include?(OmniAuthStrategyCompatPatch)
+        strategy.prepend(OmniAuthStrategyCompatPatch)
+      end
+      super(strategy, *args, **kwargs, &block)
+    end
  end

  def initialize(app, options = {})
    @app = app
-
-    OmniAuth.config.before_request_phase do |env|
-      request = ActionDispatch::Request.new(env)
-
-      # Check for CSRF token in POST requests
-      CSRFTokenVerifier.new.call(env) if request.request_method.downcase.to_sym != :get
-
-      # If the user is trying to reconnect to an existing account, store in session
-      request.session[:auth_reconnect] = !!request.params["reconnect"]
-
-      # If the client provided an origin, store in session to redirect back
-      request.session[:destination_url] = request.params["origin"]
-    end
  end

  def call(env)
-    if env["PATH_INFO"].start_with?("/auth")
-      begin
-        # When only one provider is enabled, assume it can be completely trusted, and allow GET requests
-        only_one_provider =
-          !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
+    return @app.call(env) unless env["PATH_INFO"].start_with?("/auth")

-        allow_get = only_one_provider || !SiteSetting.auth_require_interaction
+    # When only one provider is enabled, assume it can be completely trusted, and allow GET requests
+    only_one_provider =
+      !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1

-        OmniAuth.config.allowed_request_methods = allow_get ? %i[get post] : [:post]
+    allow_get = only_one_provider || !SiteSetting.auth_require_interaction

-        omniauth =
-          OmniAuth::Builder.new(@app) do
-            Discourse.enabled_authenticators.each do |authenticator|
-              authenticator.register_middleware(self)
-            end
-          end
+    OmniAuth.config.allowed_request_methods = allow_get ? %i[get post] : [:post]

-        omniauth.call(env)
-      rescue AuthenticatorDisabled => e
-        #  Authenticator is disabled, pretend it doesn't exist and pass request to app
-        @app.call(env)
-      rescue OAuth::Unauthorized => e
-        # OAuth1 (i.e. Twitter) makes a web request during the setup phase
-        # If it fails, Omniauth does not handle the error. Handle it here
-        env["omniauth.error.type"] ||= "request_error"
-        Rails.logger.error "Authentication failure! request_error: #{e.class}, #{e.message}"
-        OmniAuth::FailureEndpoint.call(env)
-      rescue JWT::InvalidIatError => e
-        # Happens for openid-connect (including google) providers, when the server clock is wrong
-        env["omniauth.error.type"] ||= "invalid_iat"
-        Rails.logger.error "Authentication failure! invalid_iat: #{e.class}, #{e.message}"
-        OmniAuth::FailureEndpoint.call(env)
-      rescue CSRFTokenVerifier::InvalidCSRFToken => e
-        # Happens when CSRF token is missing from request
-        env["omniauth.error.type"] ||= "csrf_detected"
-        OmniAuth::FailureEndpoint.call(env)
+    omniauth =
+      PatchedOmniAuthBuilder.new(@app) do
+        Discourse.enabled_authenticators.each do |authenticator|
+          authenticator.register_middleware(self)
+        end
      end
-    else
-      @app.call(env)
-    end
+
+    omniauth.call(env)
  end
 end