fix CSRF vulnerability (cherry-picked from 1-5-0-stable)
Conflicts:
lib/omniauth/strategies/facebook.rb
test/support/shared_examples.rb
test/test.rb
Mark Dodwell
10 years ago
52 | 52 | ### Per-Request Options |
53 | 53 | |
54 | 54 | If you want to set the `display` format, `auth_type`, or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`. |
55 | ||
56 | You can also pass through a `state` param which will be passed along to the callback url. | |
57 | 55 | |
58 | 56 | ### Custom Callback URL/Path |
59 | 57 |
132 | 132 | end |
133 | 133 | |
134 | 134 | ## |
135 | # You can pass +display+, +state+, +scope+, or +auth_type+ params to the auth request, if | |
135 | # You can pass +display+, +scope+, or +auth_type+ params to the auth request, if | |
136 | 136 | # you need to set them dynamically. You can also set these options |
137 | 137 | # in the OmniAuth config :authorize_params option. |
138 | 138 | # |
140 | 140 | # |
141 | 141 | def authorize_params |
142 | 142 | super.tap do |params| |
143 | %w[display state scope auth_type].each do |v| | |
143 | %w[display scope auth_type].each do |v| | |
144 | 144 | if request.params[v] |
145 | 145 | params[v.to_sym] = request.params[v] |
146 | ||
147 | # to support omniauth-oauth2's auto csrf protection | |
148 | session['omniauth.state'] = params[:state] if v == 'state' | |
149 | 146 | end |
150 | 147 | end |
151 | 148 |
49 | 49 | assert_equal strategy.authorize_params['state'], strategy.session['omniauth.state'] |
50 | 50 | end |
51 | 51 | |
52 | test 'should store state in the session when present in authorize params vs. a random one' do | |
53 | @request.stubs(:params).returns({ 'state' => 'bar' }) | |
52 | test 'should not store state in the session when present in authorize params vs. a random one' do | |
54 | 53 | @options = { :authorize_params => { :state => 'bar' } } |
55 | 54 | refute_empty strategy.authorize_params['state'] |
56 | assert_equal 'bar', strategy.authorize_params[:state] | |
55 | refute_equal 'bar', strategy.authorize_params[:state] | |
57 | 56 | refute_empty strategy.session['omniauth.state'] |
58 | assert_equal 'bar', strategy.session['omniauth.state'] | |
57 | refute_equal 'bar', strategy.session['omniauth.state'] | |
59 | 58 | end |
60 | 59 | |
61 | test 'should store state in the session when present in request params vs. a random one' do | |
60 | test 'should not store state in the session when present in request params vs. a random one' do | |
62 | 61 | @request.stubs(:params).returns({ 'state' => 'foo' }) |
63 | 62 | refute_empty strategy.authorize_params['state'] |
64 | assert_equal 'foo', strategy.authorize_params[:state] | |
63 | refute_equal 'foo', strategy.authorize_params[:state] | |
65 | 64 | refute_empty strategy.session['omniauth.state'] |
66 | assert_equal 'foo', strategy.session['omniauth.state'] | |
65 | refute_equal 'foo', strategy.session['omniauth.state'] | |
67 | 66 | end |
68 | 67 | end |
69 | 68 |
53 | 53 | @request.stubs(:params).returns({ 'display' => 'touch' }) |
54 | 54 | assert strategy.authorize_params.is_a?(Hash) |
55 | 55 | assert_equal 'touch', strategy.authorize_params[:display] |
56 | end | |
57 | ||
58 | test 'includes state parameter from request when present' do | |
59 | @request.stubs(:params).returns({ 'state' => 'some_state' }) | |
60 | assert strategy.authorize_params.is_a?(Hash) | |
61 | assert_equal 'some_state', strategy.authorize_params[:state] | |
62 | 56 | end |
63 | 57 | |
64 | 58 | test 'includes auth_type parameter from request when present' do |