Skip to content

Commit

Permalink
Merge pull request #15745 from opf/code-maintenance/55472-do-not-save…
Browse files Browse the repository at this point in the history
…-access-token-in-cookies

[#55472] Do not save access token in cookies
  • Loading branch information
ba1ash authored Jun 7, 2024
2 parents 09b1272 + 400d3b0 commit 8b026c8
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 23 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -41,22 +41,9 @@ def user_logged_in(context)
end

##
# Once omniauth has returned with an auth hash
# persist the access token
def omniauth_user_authorized(context)
auth_hash = context[:auth_hash]
controller = context[:controller]

# fetch the access token if it's present
access_token = auth_hash.fetch(:credentials, {})[:token]
# put it into a cookie
if controller && access_token
controller.send(:cookies)[:_open_project_session_access_token] = {
value: access_token,
secure: !!Rails.configuration.force_ssl
}
end
end
# Called once omniauth has returned with an auth hash
# NOTE: It's a passthrough as we no longer persist the access token into the cookie
def omniauth_user_authorized(_context); end
end
end
end
7 changes: 0 additions & 7 deletions modules/openid_connect/spec/requests/openid_connect_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -98,13 +98,6 @@
expect(response).to have_http_status :found
expect(response.location).to match /\/\?first_time_user=true$/

# after_login requires the optional third context parameter
# remove this guard once we are on v4.1
if OpenProject::OmniAuth::Authorization.method(:after_login!).arity.abs > 2
# check that cookie is stored in the access token
expect(response.cookies["_open_project_session_access_token"]).to eq "foo bar baz"
end

user = User.find_by(mail: user_info[:email])

expect(user).not_to be_nil
Expand Down

0 comments on commit 8b026c8

Please sign in to comment.