From a84b6b6b0c3dbb4e3b3e4325e4b7bc0942f9f3de Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Fri, 2 Nov 2018 23:49:00 +0000
Subject: [PATCH] SECURITY: Add CSRF protections to OpenID callback

---
 lib/auth/open_id_authenticator.rb | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/lib/auth/open_id_authenticator.rb b/lib/auth/open_id_authenticator.rb
index 849ca6977a3..b85930b79df 100644
--- a/lib/auth/open_id_authenticator.rb
+++ b/lib/auth/open_id_authenticator.rb
@@ -82,12 +82,25 @@ class Auth::OpenIdAuthenticator < Auth::Authenticator
 
   def register_middleware(omniauth)
     omniauth.provider :open_id,
-           setup: lambda { |env|
-             strategy = env["omniauth.strategy"]
-              strategy.options[:store] = OpenID::Store::Redis.new($redis)
-           },
-           name: name,
-           identifier: identifier,
-           require: "omniauth-openid"
+         setup: lambda { |env|
+           strategy = env["omniauth.strategy"]
+           strategy.options[:store] = OpenID::Store::Redis.new($redis)
+
+           # Add CSRF protection in addition to OpenID Specification
+           def strategy.query_string
+              session["omniauth.state"] = state = SecureRandom.hex(24)
+             "?state=#{state}"
+           end
+
+           def strategy.callback_phase
+             stored_state = session.delete("omniauth.state")
+             provided_state = request.params["state"]
+             return fail!(:invalid_credentials) unless provided_state == stored_state
+             super
+           end
+         },
+         name: name,
+         identifier: identifier,
+         require: "omniauth-openid"
   end
 end