2015-04-24 11:03:18 -04:00
|
|
|
# Protects OmniAuth request phase against CSRF.
|
|
|
|
|
|
|
|
module OmniAuth
|
2015-04-24 14:10:32 -04:00
|
|
|
# Based on ActionController::RequestForgeryProtection.
|
2015-04-24 11:03:18 -04:00
|
|
|
class RequestForgeryProtection
|
|
|
|
def initialize(env)
|
|
|
|
@env = env
|
|
|
|
end
|
|
|
|
|
|
|
|
def request
|
|
|
|
@request ||= ActionDispatch::Request.new(@env)
|
|
|
|
end
|
|
|
|
|
|
|
|
def session
|
|
|
|
request.session
|
|
|
|
end
|
|
|
|
|
2015-04-24 14:10:32 -04:00
|
|
|
def reset_session
|
|
|
|
request.reset_session
|
|
|
|
end
|
|
|
|
|
2015-04-24 11:03:18 -04:00
|
|
|
def params
|
|
|
|
request.params
|
|
|
|
end
|
|
|
|
|
|
|
|
def call
|
|
|
|
verify_authenticity_token
|
|
|
|
end
|
|
|
|
|
|
|
|
def verify_authenticity_token
|
|
|
|
if !verified_request?
|
|
|
|
Rails.logger.warn "Can't verify CSRF token authenticity" if Rails.logger
|
|
|
|
handle_unverified_request
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def protect_against_forgery?
|
|
|
|
ApplicationController.allow_forgery_protection
|
|
|
|
end
|
|
|
|
|
|
|
|
def request_forgery_protection_token
|
|
|
|
ApplicationController.request_forgery_protection_token
|
|
|
|
end
|
|
|
|
|
|
|
|
def forgery_protection_strategy
|
|
|
|
ApplicationController.forgery_protection_strategy
|
|
|
|
end
|
|
|
|
|
|
|
|
def verified_request?
|
|
|
|
!protect_against_forgery? || request.get? || request.head? ||
|
|
|
|
form_authenticity_token == params[request_forgery_protection_token] ||
|
|
|
|
form_authenticity_token == request.headers['X-CSRF-Token']
|
|
|
|
end
|
|
|
|
|
|
|
|
def handle_unverified_request
|
|
|
|
forgery_protection_strategy.new(self).handle_unverified_request
|
|
|
|
end
|
|
|
|
|
|
|
|
# Sets the token value for the current session.
|
|
|
|
def form_authenticity_token
|
|
|
|
session[:_csrf_token] ||= SecureRandom.base64(32)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|