Skip to content
This repository has been archived by the owner on Oct 5, 2023. It is now read-only.

CSRF protection: "state" param #44

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ee1f716
rails 3 and ruby 1.9.2 updates
erickrause May 23, 2011
933af3f
changed the spec so that it was comparing json objects, and not strings
erickrause May 23, 2011
404733a
We use an extra key for authentication. Token endpoint will try to m…
erickrause May 23, 2011
6e17408
mapping the first authentication_key to username. So now it's not ti…
erickrause May 23, 2011
e8f7f64
Allowing use with rails 3.1
dvdplm Jul 29, 2011
918d72e
typo
dvdplm Jul 29, 2011
09d8e9d
Even more liberal on dependencies
dvdplm Jul 29, 2011
50ae167
ActiveSupport::SecureRandom --> SecureRandom to remove deprec warnings
dvdplm Aug 17, 2011
2fcf6e8
Engine controllers descend from common base class
duncanbeevers Apr 6, 2012
54a96f0
Consolidate :authenticate_user! before_filter
duncanbeevers Apr 6, 2012
50c0c43
No isolate_namespace
duncanbeevers May 22, 2012
a1c3741
TokensController can be subclassed
duncanbeevers May 24, 2012
0c113ce
TokensController can be subclassed
duncanbeevers May 24, 2012
78f7b9a
Merge remote-tracking branch 'original/master'
dvdplm Jul 23, 2012
bcedcaa
Merge remote-tracking branch 'ordncn/engine_common_controller'
dvdplm Jul 23, 2012
6438cd8
Don't load deleted rake tasks
dvdplm Jul 23, 2012
cc31b2d
Don't be anal about development gem dependencies
dvdplm Jul 23, 2012
770c59b
Pass along the "state" param as asked for in the IETF draft: http://t…
dvdplm Jul 23, 2012
f539714
Merge remote-tracking branch 'ordncn/flexible_client_credentials_stra…
dvdplm Jul 27, 2012
e97887b
Merge remote-tracking branch 'ordncn/no_isolate_namespace'
dvdplm Jul 30, 2012
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion Rakefile
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
require "bundler/gem_tasks"

APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
load 'rails/tasks/engine.rake'

require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new('spec')
Expand Down
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
module Devise
module Oauth2Providable
class AuthorizationsController < ApplicationController
before_filter :authenticate_user!

class AuthorizationsController < Devise::Oauth2Providable::BaseController
rescue_from Rack::OAuth2::Server::Authorize::BadRequest do |e|
@error = e
render :error, :status => e.status
Expand Down Expand Up @@ -32,6 +30,7 @@ def respond(status, header, response)
def authorize_endpoint(allow_approval = false)
Rack::OAuth2::Server::Authorize.new do |req, res|
@client = Client.find_by_identifier(req.client_id) || req.bad_request!
@state = req.state
res.redirect_uri = @redirect_uri = req.verify_redirect_uri!(@client.redirect_uri)
if allow_approval
if params[:approve].present?
Expand Down
3 changes: 3 additions & 0 deletions app/controllers/devise/oauth2_providable/base_controller.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
class Devise::Oauth2Providable::BaseController < ApplicationController
before_filter :authenticate_user!
end
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
class Devise::Oauth2Providable::TokensController < ApplicationController
before_filter :authenticate_user!
class Devise::Oauth2Providable::TokensController < Devise::Oauth2Providable::BaseController
skip_before_filter :verify_authenticity_token, :only => :create

def create
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
<%= hidden_field_tag :client_id, client.identifier %>
<%= hidden_field_tag :response_type, response_type %>
<%= hidden_field_tag :redirect_uri, redirect_uri %>
<%= hidden_field_tag :state, state %>
<%= submit_tag action.to_s.capitalize %>
<%= hidden_field_tag action, true %>
<% end %>
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<h2><%= link_to @client.name, @client.website %> is requesting permission to access your resources.</h2>

<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :approve %>
<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :action => :deny %>
<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :state => @state, :action => :approve %>
<%= render 'devise/oauth2_providable/authorizations/form', :client => @client, :response_type => @response_type, :redirect_uri => @redirect_uri, :state => @state, :action => :deny %>
12 changes: 6 additions & 6 deletions devise_oauth2_providable.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@ Gem::Specification.new do |s|

s.add_runtime_dependency(%q<rails>, [">= 3.1.0"])
s.add_runtime_dependency(%q<devise>, [">= 1.4.3"])
s.add_runtime_dependency(%q<rack-oauth2>, ["~> 0.11.0"])
s.add_development_dependency(%q<rspec-rails>, ['2.6.1'])
s.add_runtime_dependency(%q<rack-oauth2>, [">= 0.11.0"])
s.add_development_dependency(%q<rspec-rails>, ['>=2.6.1'])
s.add_development_dependency(%q<sqlite3>, ['1.3.5'])
s.add_development_dependency(%q<shoulda-matchers>, ['1.0.0.beta3'])
s.add_development_dependency(%q<pry>, ['0.9.6.2'])
s.add_development_dependency(%q<factory_girl>, ['2.2.0'])
s.add_development_dependency(%q<factory_girl_rspec>, ['0.0.1'])
s.add_development_dependency(%q<shoulda-matchers>, ['>=1.0.0.beta3'])
s.add_development_dependency(%q<pry>, ['>=0.9.6.2'])
s.add_development_dependency(%q<factory_girl>, ['>=2.2.0'])
s.add_development_dependency(%q<factory_girl_rspec>, ['>=0.0.1'])
s.add_development_dependency(%q<rake>, ['0.9.2.2'])

s.files = `git ls-files`.split("\n")
Expand Down
1 change: 0 additions & 1 deletion lib/devise/oauth2_providable/engine.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ class Engine < Rails::Engine
config.devise_oauth2_providable.authorization_code_expires_in = 1.minute

engine_name 'oauth2'
isolate_namespace Devise::Oauth2Providable
initializer "devise_oauth2_providable.initialize_application", :before=> :load_config_initializers do |app|
app.config.filter_parameters << :client_secret
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ module Devise
module Strategies
class Oauth2GrantTypeStrategy < Authenticatable
def valid?
params[:controller] == 'devise/oauth2_providable/tokens' && request.post? && params[:grant_type] == grant_type
env['action_controller.instance'].kind_of?(Devise::Oauth2Providable::TokensController) && request.post? && params[:grant_type] == grant_type
end

# defined by subclass
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
class AddPetColumnToUsers < ActiveRecord::Migration
def self.up
add_column :users, :pet, :string
end

def self.down
remove_column :users, :pet
end
end