Mirrors/astuto
1
0
Fork 0
mirror of https://github.com/astuto/astuto.git synced 2025-12-15 11:17:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Change OAuth state separator character (#194)

Browse Source
This commit is contained in:
Riccardo Graziosi
2023-01-28 14:24:03 +01:00
committed by GitHub
parent bae0fe0457
commit 53d8674fab
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/controllers/o_auths_controller.rb
View File

@@ -5,6 +5,8 @@ class OAuthsController < ApplicationController
before_action :authenticate_admin, only: [:index, :create, :update, :destroy]
TOKEN_STATE_SEPARATOR = '-'
# [subdomain.]base_url/o_auths/:id/start?reason=user|test
# Generates authorize url with required parameters and redirects to provider
def start
@@ -12,7 +14,7 @@ class OAuthsController < ApplicationController
return if params[:reason] == 'user' and not @o_auth.is_enabled?
# Generate random state + other query params
token_state = "#{params[:reason]}|#{Devise.friendly_token(30)}"
token_state = "#{params[:reason]}#{TOKEN_STATE_SEPARATOR}#{Devise.friendly_token(30)}"
session[:token_state] = token_state
@o_auth.state = token_state
@@ -22,7 +24,7 @@ class OAuthsController < ApplicationController
# [subdomain.]base_url/o_auths/:id/callback
# Exchange authorization code for access token, fetch user info and sign in/up
def callback
reason, token_state = params[:state].split('|')
reason, token_state = params[:state].split(TOKEN_STATE_SEPARATOR, 2)
return unless session[:token_state] == params[:state]
@@ -67,7 +69,7 @@ class OAuthsController < ApplicationController
end
end
### CRUD actions below ###
### CRUD actions ###
def index
authorize OAuth