You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In other words, token verification only occurs if we are on the request path.
Again the expectation is that test mode would behave the same way: only executing verification if we are on the request path.
Actual Behavior
When test mode is true, mock_call is used early in the execution of the middleware. Unfortunately, the authenticity token verification happens differently than it does in normal mode.
The verification happens before the check to on_request_path? is made. As a result, the verification happens on very request, not just those that are on the request path provided by omniauth.
The problem is twofold:
Any request executed while in test mode that is not part of Omniauth and that does not require a CSRF token will fail (an example would be API calls that are part of the same application).
The behavior is different than normal/production mode, meaning developers might inadvertently rely on this addtional verification check which would not be executed in outside of test mode.
Steps to Reproduce
Set OmniAuth.config.test_mode = true
Execute any non-GET request to any endpoint on the same application that is not on the Omniauth request path.
The on_failure block is triggered.
Fix
For what it's worth the fix seems relatively straightforward: Move the request_validation_phase check...
A recent change altered the behavior of omniauth when run in test mode. See below for details.
The change appears to have been introduced here 1b784ff .
Configuration
omniauth-*
2.7.2
Rails
Mac
Expected Behavior
When calling an Omniauth strategy while in test mode, the mock checks and tests should be executed in a way that mirrors normal mode.
In regular mode it would look like this:
request_call
phase ifon_request_path?
is true: https://github.com/omniauth/omniauth/blob/v2.0.1/lib/omniauth/strategy.rb#L192request_call
, execute authenticity token verification: https://github.com/omniauth/omniauth/blob/v2.0.1/lib/omniauth/strategy.rb#L236In other words, token verification only occurs if we are on the request path.
Again the expectation is that test mode would behave the same way: only executing verification if we are on the request path.
Actual Behavior
When test mode is true,
mock_call
is used early in the execution of the middleware. Unfortunately, the authenticity token verification happens differently than it does in normal mode.See https://github.com/omniauth/omniauth/blob/v2.0.1/lib/omniauth/strategy.rb#L302 .
The verification happens before the check to
on_request_path?
is made. As a result, the verification happens on very request, not just those that are on the request path provided by omniauth.The problem is twofold:
Steps to Reproduce
OmniAuth.config.test_mode = true
on_failure
block is triggered.Fix
For what it's worth the fix seems relatively straightforward: Move the request_validation_phase check...
on_request_path?
check.Happy to add a pull request but wanted to submit the issue first in case I was missing something
The text was updated successfully, but these errors were encountered: