-
-
Notifications
You must be signed in to change notification settings - Fork 970
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Too hard to preserve POST params prior to request phase #975
Comments
Also wondered about the same thing, and the search led me here. Is there any willingness to support this from the maintainers? are PRs for this going to be considered? or is it a dead-end? |
I am using this strategy https://github.com/stevenkaras/omniauth-mailchimp and it does not work like that. This is using rails 6.0.3 provider :mailchimp, ENV['MAILCHIMP_CLIENT_ID'], ENV['MAILCHIMP_CLIENT_SECRET'], setup: lambda { |env|
if env["omniauth.strategy"].on_request_path?
env['rack.session']['foo'] = 'foo'
end
}
before_request_phase do |env|
# Prior to login, save user parameters to session so that we can
# retrieve them after authentication in order to update the user's
# preferences.
#
# This API is basically undocumented and was figured from reading
# omniauth's strategy.rb.
env["rack.session"]["user_params"] = 'something!!!'
end
end Then in the callback controller def create
puts session[:foo]
puts session[:user_params]
render plain: 'ok'
end Nothing is printed. Any Idea what could be happening here? |
I would need to look into any potential ramifications of the changes being discussed, and overall community need |
I'm not guaranteeing this works, but have you tried accessing with string keys? |
Yes, I tried that, but still does not work. |
I also ran into this problem after switching from I was able to workaround it by looking at I also tried the strategy above of setting If there is a better way, please let me know. |
Currently params provided to the request phase via the query string in the
GET
request are stored assession["omniauth.params"]
:omniauth/lib/omniauth/strategy.rb
Line 280 in cc0f552
and then retrieved and made available in the callback phase as
request.env["omniauth.params"]
:omniauth/lib/omniauth/strategy.rb
Line 236 in cc0f552
This useful feature, whilst mentioned in third-party blogs like here and here, is still lacking official documentation as mentioned in issue #909. That's unfortunate, but there is a further issue caused by a combination of two facts:
GET
.POST
, since allowingGET /auth/:provider
is unsafe.So when attempting to write code which uses omniauth safely, there is no obvious way to preserve custom application-specific parameters which are passed at login time.
By looking at
lib/omniauth/strategy.rb
I managed to figure out that I could do something like:Then later on after authentication has succeeded and the callback redirects to my
users_controller.rb
, I can access these custom parameters viasession[:user_params]
. However it does not seem good that developers should have to assume such knowledge about the internals of the middleware in order to write code which safely preserves parameters across the various HTTP requests in the authentication flow. Therefore I suggest that something similar toomniauth.params
is implemented forPOST
requests - it could be calledomniauth.form_params
, for instance.And of course, all of this should be clearly documented, and explained in https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 too :-)
The text was updated successfully, but these errors were encountered: