SECURITY: Add CSRF protections to OpenID callback

2025-02-22 04:07:27 +00:00 · 2018-11-02 23:49:00 +00:00 · 2018-11-02 23:49:00 +00:00 · a84b6b6b0c
commit a84b6b6b0c
parent ae9eddb002
1 changed files with 20 additions and 7 deletions
--- a/lib/auth/open_id_authenticator.rb
+++ b/lib/auth/open_id_authenticator.rb
@ -82,12 +82,25 @@ class Auth::OpenIdAuthenticator < Auth::Authenticator

  def register_middleware(omniauth)
    omniauth.provider :open_id,
-           setup: lambda { |env|
-             strategy = env["omniauth.strategy"]
-              strategy.options[:store] = OpenID::Store::Redis.new($redis)
-           },
-           name: name,
-           identifier: identifier,
-           require: "omniauth-openid"
+         setup: lambda { |env|
+           strategy = env["omniauth.strategy"]
+           strategy.options[:store] = OpenID::Store::Redis.new($redis)
+
+           # Add CSRF protection in addition to OpenID Specification
+           def strategy.query_string
+              session["omniauth.state"] = state = SecureRandom.hex(24)
+             "?state=#{state}"
+           end
+
+           def strategy.callback_phase
+             stored_state = session.delete("omniauth.state")
+             provided_state = request.params["state"]
+             return fail!(:invalid_credentials) unless provided_state == stored_state
+             super
+           end
+         },
+         name: name,
+         identifier: identifier,
+         require: "omniauth-openid"
  end
 end