Ensure Warden triggers after_authentication callback

By not triggering the callback: - ActiveSession lookup keys are not cleaned - Devise also misses its hook related to session cleanup
author: Imre Farkas <ifarkas@gitlab.com> 2019-07-26 10:05:50 +0300
committer: James Lopez <james@gitlab.com> 2019-07-26 10:05:50 +0300
commit: 929b403d21308cb7843aa474bfba599345b706b4 (patch)
tree: 14238ab87d98381ccc7f140789c4829c926d32bf /app/controllers/sessions_controller.rb
parent: 13958668854bc98676d6414c0debaeb4b91a9943 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 7604b31467a..1880bead3ee 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -26,6 +26,17 @@ class SessionsController < Devise::SessionsController
   after_action :log_failed_login, if: -> { action_name == 'new' && failed_login? }
   helper_method :captcha_enabled?
 
+  # protect_from_forgery is already prepended in ApplicationController but
+  # authenticate_with_two_factor which signs in the user is prepended before
+  # that here.
+  # We need to make sure CSRF token is verified before authenticating the user
+  # because Devise.clean_up_csrf_token_on_authentication is set to true by
+  # default to avoid CSRF token fixation attacks. Authenticating the user first
+  # would cause the CSRF token to be cleared and then
+  # RequestForgeryProtection#verify_authenticity_token would fail because of
+  # token mismatch.
+  protect_from_forgery with: :exception, prepend: true
+
   CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'.freeze
 
   def new
author	Imre Farkas <ifarkas@gitlab.com>	2019-07-26 10:05:50 +0300
committer	James Lopez <james@gitlab.com>	2019-07-26 10:05:50 +0300
commit	929b403d21308cb7843aa474bfba599345b706b4 (patch)
tree	14238ab87d98381ccc7f140789c4829c926d32bf /app/controllers/sessions_controller.rb
parent	13958668854bc98676d6414c0debaeb4b91a9943 (diff)