omniauth icon indicating copy to clipboard operation
omniauth copied to clipboard
verified publisher icon omniauth

CSRF in Rack for callbacks requests

Open AlexWayfer opened this issue 3 years ago • 0 comments

Please complete all sections.

Configuration

  • Provider Gem: omniauth-developer
  • Ruby Version: 3.1.2
  • Framework: Flame
  • Platform: Arch Linux

Expected Behavior

OmniAuth-Developer form contains CSRF param and passes it to /auth/developer/callback.

Actual Behavior

I see no _csrf param, even when completed setup instructions for compatibility.

Steps to Reproduce

::OmniAuth::AuthenticityTokenProtection.default_options(key: 'csrf.token', authenticity_param: '_csrf')

use Rack::Csrf, raise: true

use OmniAuth::Builder do
	provider :developer
end

Additional info

I've tried allow_if block from #1074, but it seems never called.

The form to authenticate:

<form action="/auth/developer" method="POST">
	<input type="hidden" name="_csrf" value="Bia4XjpqNYzblbtv2TtiYqnsniZIQIHoMZJo5b4eqJI">
	<button type="submit">Connect Developer</button>
</form>

The form from the OmniAuth-Developer provider:

image

Without _csrf param (hidden?) the /callback will be rejected (by Rack::Csrf middleware).

AlexWayfer avatar Sep 15 '22 15:09 AlexWayfer