fix CSRF vulnerability (cherry-picked from 1-5-0-stable)
Conflicts:
lib/omniauth/strategies/facebook.rb
test/support/shared_examples.rb
test/test.rb
Mark Dodwell
10 years ago
| 52 | 52 | ### Per-Request Options |
| 53 | 53 | |
| 54 | 54 | If you want to set the `display` format, `auth_type`, or `scope` on a per-request basis, you can just pass it to the OmniAuth request phase URL, for example: `/auth/facebook?display=popup` or `/auth/facebook?scope=email`. |
| 55 | ||
| 56 | You can also pass through a `state` param which will be passed along to the callback url. | |
| 57 | 55 | |
| 58 | 56 | ### Custom Callback URL/Path |
| 59 | 57 |
| 132 | 132 | end |
| 133 | 133 | |
| 134 | 134 | ## |
| 135 | # You can pass +display+, +state+, +scope+, or +auth_type+ params to the auth request, if | |
| 135 | # You can pass +display+, +scope+, or +auth_type+ params to the auth request, if | |
| 136 | 136 | # you need to set them dynamically. You can also set these options |
| 137 | 137 | # in the OmniAuth config :authorize_params option. |
| 138 | 138 | # |
| 140 | 140 | # |
| 141 | 141 | def authorize_params |
| 142 | 142 | super.tap do |params| |
| 143 | %w[display state scope auth_type].each do |v| | |
| 143 | %w[display scope auth_type].each do |v| | |
| 144 | 144 | if request.params[v] |
| 145 | 145 | params[v.to_sym] = request.params[v] |
| 146 | ||
| 147 | # to support omniauth-oauth2's auto csrf protection | |
| 148 | session['omniauth.state'] = params[:state] if v == 'state' | |
| 149 | 146 | end |
| 150 | 147 | end |
| 151 | 148 | |
| 49 | 49 | assert_equal strategy.authorize_params['state'], strategy.session['omniauth.state'] |
| 50 | 50 | end |
| 51 | 51 | |
| 52 | test 'should store state in the session when present in authorize params vs. a random one' do | |
| 53 | @request.stubs(:params).returns({ 'state' => 'bar' }) | |
| 52 | test 'should not store state in the session when present in authorize params vs. a random one' do | |
| 54 | 53 | @options = { :authorize_params => { :state => 'bar' } } |
| 55 | 54 | refute_empty strategy.authorize_params['state'] |
| 56 | assert_equal 'bar', strategy.authorize_params[:state] | |
| 55 | refute_equal 'bar', strategy.authorize_params[:state] | |
| 57 | 56 | refute_empty strategy.session['omniauth.state'] |
| 58 | assert_equal 'bar', strategy.session['omniauth.state'] | |
| 57 | refute_equal 'bar', strategy.session['omniauth.state'] | |
| 59 | 58 | end |
| 60 | 59 | |
| 61 | test 'should store state in the session when present in request params vs. a random one' do | |
| 60 | test 'should not store state in the session when present in request params vs. a random one' do | |
| 62 | 61 | @request.stubs(:params).returns({ 'state' => 'foo' }) |
| 63 | 62 | refute_empty strategy.authorize_params['state'] |
| 64 | assert_equal 'foo', strategy.authorize_params[:state] | |
| 63 | refute_equal 'foo', strategy.authorize_params[:state] | |
| 65 | 64 | refute_empty strategy.session['omniauth.state'] |
| 66 | assert_equal 'foo', strategy.session['omniauth.state'] | |
| 65 | refute_equal 'foo', strategy.session['omniauth.state'] | |
| 67 | 66 | end |
| 68 | 67 | end |
| 69 | 68 |
| 53 | 53 | @request.stubs(:params).returns({ 'display' => 'touch' }) |
| 54 | 54 | assert strategy.authorize_params.is_a?(Hash) |
| 55 | 55 | assert_equal 'touch', strategy.authorize_params[:display] |
| 56 | end | |
| 57 | ||
| 58 | test 'includes state parameter from request when present' do | |
| 59 | @request.stubs(:params).returns({ 'state' => 'some_state' }) | |
| 60 | assert strategy.authorize_params.is_a?(Hash) | |
| 61 | assert_equal 'some_state', strategy.authorize_params[:state] | |
| 62 | 56 | end |
| 63 | 57 | |
| 64 | 58 | test 'includes auth_type parameter from request when present' do |