Skip to content

v3.0.0
Compare
Choose a tag to compare
@davidpatrick davidpatrick released this 19 Apr 15:39
· 66 commits to master since this release
v3.0.0
7d58d6b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Version 3.0 introduces Omniauth v2.0 which addresses CVE-2015-9284. Omniauth now defaults to only allow POST as the allowed request_phase method. This was previously handled through the recommended mitigation using the omniauth-rails_csrf_protection v0.x.x gem to provide CSRF protection.

Upgrading to omniauth-rails_csrf_protection v1.0.0

If you are using omniauth-rails_csrf_protection to provide CSRF protection, you will need to be upgrade to 1.x.x.

BREAKING CHANGES

Now that OmniAuth now defaults to only POST as the allowed request_phase method, if you aren't already, you will need to convert any login links to use form helpers with the POST method.

# OLD -- GET request
<a href='/auth/auth0'>Login</a>

# NEW Example #1 -- POST request
<%= link_to 'Login', 'auth/auth0', method: :post %>

# NEW Example #2 -- POST request
<%= button_to 'Login', 'auth/auth0', method: :post %>

# NEW Example #3 -- POST request
<%= form_tag('/auth/auth0', method: :post) do %>
  <button type='submit'></button>
<% end %>

Allowing GET Requests

In the scenario you absolutely must use GET requests as an allowed request method for authentication, you can override the protection provided with the following config override:

# Allowing GET requests will expose you to CVE-2015-9284 
OmniAuth.config.allowed_request_methods = [:get, :post]
Assets 2
Loading