consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #3840 from consul/omniauth_csrf

Browse Source 
Add CSRF protection to Omniauth requests
This commit is contained in:
Javier Martín
2020-01-28 12:52:17 +01:00
committed by GitHub
parent a3a7a07ea4 c4ebea27a7
commit 9bbed55d20
3 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Gemfile
View File

@@ -32,9 +32,10 @@ gem "jquery-rails", "~> 4.3.3"
gem "jquery-ui-rails", "~> 6.0.1" gem "jquery-ui-rails", "~> 6.0.1"
gem "kaminari", "~> 1.1.1" gem "kaminari", "~> 1.1.1"
gem "newrelic_rpm", "~> 4.1.0.333" gem "newrelic_rpm", "~> 4.1.0.333"
gem "omniauth", "~> 1.8.1" gem "omniauth", "~> 1.9.0"
gem "omniauth-facebook", "~> 4.0.0" gem "omniauth-facebook", "~> 4.0.0"
gem "omniauth-google-oauth2", "~> 0.4.0" gem "omniauth-google-oauth2", "~> 0.4.0"
gem "omniauth-rails_csrf_protection", "~> 0.1.2"
gem "omniauth-twitter", "~> 1.4.0" gem "omniauth-twitter", "~> 1.4.0"
gem "paperclip", "~> 5.2.1" gem "paperclip", "~> 5.2.1"
gem "paranoia", "~> 2.4.2" gem "paranoia", "~> 2.4.2"

12
Gemfile.lock
View File

@@ -259,7 +259,7 @@ GEM
activesupport (>= 3) activesupport (>= 3)
gyoku (1.3.1) gyoku (1.3.1)
builder (>= 2.1.2) builder (>= 2.1.2)
hashie (3.5.7) hashie (3.6.0)
highline (2.0.2) highline (2.0.2)
html_tokenizer (0.0.7) html_tokenizer (0.0.7)
htmlentities (4.3.4) htmlentities (4.3.4)
@@ -362,8 +362,8 @@ GEM
rack (>= 1.2, < 3) rack (>= 1.2, < 3)
octokit (4.14.0) octokit (4.14.0)
sawyer (~> 0.8.0, >= 0.5.3) sawyer (~> 0.8.0, >= 0.5.3)
omniauth (1.8.1) omniauth (1.9.0)
hashie (>= 3.4.6, < 3.6.0) hashie (>= 3.4.6, < 3.7.0)
rack (>= 1.6.2, < 3) rack (>= 1.6.2, < 3)
omniauth-facebook (4.0.0) omniauth-facebook (4.0.0)
omniauth-oauth2 (~> 1.2) omniauth-oauth2 (~> 1.2)
@@ -378,6 +378,9 @@ GEM
omniauth-oauth2 (1.5.0) omniauth-oauth2 (1.5.0)
oauth2 (~> 1.1) oauth2 (~> 1.1)
omniauth (~> 1.2) omniauth (~> 1.2)
omniauth-rails_csrf_protection (0.1.2)
actionpack (>= 4.2)
omniauth (>= 1.3.1)
omniauth-twitter (1.4.0) omniauth-twitter (1.4.0)
omniauth-oauth (~> 1.1) omniauth-oauth (~> 1.1)
rack rack
@@ -649,9 +652,10 @@ DEPENDENCIES
letter_opener_web (~> 1.3.4) letter_opener_web (~> 1.3.4)
mdl (~> 0.5.0) mdl (~> 0.5.0)
newrelic_rpm (~> 4.1.0.333) newrelic_rpm (~> 4.1.0.333)
omniauth (~> 1.8.1) omniauth (~> 1.9.0)
omniauth-facebook (~> 4.0.0) omniauth-facebook (~> 4.0.0)
omniauth-google-oauth2 (~> 0.4.0) omniauth-google-oauth2 (~> 0.4.0)
omniauth-rails_csrf_protection (~> 0.1.2)
omniauth-twitter (~> 1.4.0) omniauth-twitter (~> 1.4.0)
paperclip (~> 5.2.1) paperclip (~> 5.2.1)
paranoia (~> 2.4.2) paranoia (~> 2.4.2)

18
app/views/devise/_omniauth_form.html.erb
View File

@@ -12,7 +12,8 @@
<div class="small-12 medium-6 large-4 column end"> <div class="small-12 medium-6 large-4 column end">
<%= link_to t("omniauth.twitter.name"), user_twitter_omniauth_authorize_path, <%= link_to t("omniauth.twitter.name"), user_twitter_omniauth_authorize_path,
title: t("omniauth.twitter.sign_in"), title: t("omniauth.twitter.sign_in"),
class: "button-twitter button expanded" %> class: "button-twitter button expanded",
method: :post %>
</div> </div>
<% end %> <% end %>
@@ -20,7 +21,8 @@
<div class="small-12 medium-6 large-4 column end"> <div class="small-12 medium-6 large-4 column end">
<%= link_to t("omniauth.facebook.name"), user_facebook_omniauth_authorize_path, <%= link_to t("omniauth.facebook.name"), user_facebook_omniauth_authorize_path,
title: t("omniauth.facebook.sign_in"), title: t("omniauth.facebook.sign_in"),
class: "button-facebook button expanded" %> class: "button-facebook button expanded",
method: :post %>
</div> </div>
<% end %> <% end %>
@@ -28,7 +30,8 @@
<div class="small-12 medium-6 large-4 column end"> <div class="small-12 medium-6 large-4 column end">
<%= link_to t("omniauth.google_oauth2.name"), user_google_oauth2_omniauth_authorize_path, <%= link_to t("omniauth.google_oauth2.name"), user_google_oauth2_omniauth_authorize_path,
title: t("omniauth.google_oauth2.sign_in"), title: t("omniauth.google_oauth2.sign_in"),
class: "button-google button expanded" %> class: "button-google button expanded",
method: :post %>
</div> </div>
<% end %> <% end %>
@@ -49,7 +52,8 @@
<div class="small-12 medium-6 large-4 column end"> <div class="small-12 medium-6 large-4 column end">
<%= link_to t("omniauth.twitter.name"), user_twitter_omniauth_authorize_path, <%= link_to t("omniauth.twitter.name"), user_twitter_omniauth_authorize_path,
title: t("omniauth.twitter.sign_up"), title: t("omniauth.twitter.sign_up"),
class: "button-twitter button expanded" %> class: "button-twitter button expanded",
method: :post %>
</div> </div>
<% end %> <% end %>
@@ -57,7 +61,8 @@
<div class="small-12 medium-6 large-4 column end"> <div class="small-12 medium-6 large-4 column end">
<%= link_to t("omniauth.facebook.name"), user_facebook_omniauth_authorize_path, <%= link_to t("omniauth.facebook.name"), user_facebook_omniauth_authorize_path,
title: t("omniauth.facebook.sign_up"), title: t("omniauth.facebook.sign_up"),
class: "button-facebook button expanded" %> class: "button-facebook button expanded",
method: :post %>
</div> </div>
<% end %> <% end %>
@@ -65,7 +70,8 @@
<div class="small-12 medium-6 large-4 column end"> <div class="small-12 medium-6 large-4 column end">
<%= link_to t("omniauth.google_oauth2.name"), user_google_oauth2_omniauth_authorize_path, <%= link_to t("omniauth.google_oauth2.name"), user_google_oauth2_omniauth_authorize_path,
title: t("omniauth.google_oauth2.sign_up"), title: t("omniauth.google_oauth2.sign_up"),
class: "button-google button expanded" %> class: "button-google button expanded",
method: :post %>
</div> </div>
<% end %> <% end %>