diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-11-15 21:12:21 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-11-15 21:12:21 +0300 |
commit | 4481a56a94c579f52e1cdef1cc1f4995f0ee1412 (patch) | |
tree | 9b8d431d53057e6351dd56718d212b2c89b19312 /config/initializers_before_autoloader | |
parent | e5c7d631a84940c66e46f1824ba7ce0c7f1d0ea4 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'config/initializers_before_autoloader')
-rw-r--r-- | config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb | 28 |
1 files changed, 4 insertions, 24 deletions
diff --git a/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb b/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb index 1ede92609a9..c6baae56d3d 100644 --- a/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb +++ b/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb @@ -10,31 +10,11 @@ module OmniAuth module Strategies class OAuth2 + alias_method :original_callback_phase, :callback_phase + def callback_phase - error = request.params["error_reason"].presence || request.params["error"].presence - # Monkey patch #1: - # - # Swap the order of these conditions around so the `state` param is verified *first*, - # before using the error params returned by the provider. - # - # This avoids content spoofing attacks by crafting a URL with malicious messages, - # because the `state` param is only present in the session after a valid OAuth2 authentication flow. - if !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session.delete("omniauth.state")) - fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected")) - elsif error - fail!(error, CallbackError.new(request.params["error"], request.params["error_description"].presence || request.params["error_reason"].presence, request.params["error_uri"])) - else - self.access_token = build_access_token - self.access_token = access_token.refresh! if access_token.expired? - super - end - rescue ::OAuth2::Error, CallbackError => e - fail!(:invalid_credentials, e) - rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e - fail!(:timeout, e) - rescue ::SocketError => e - fail!(:failed_to_connect, e) - # Monkey patch #2: + original_callback_phase + # Monkey patch #1: # # Also catch errors from Faraday. # See https://github.com/omniauth/omniauth-oauth2/pull/129 |