Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cookpad/omniauth-rails_csrf_protection

Provides CSRF protection on OmniAuth request endpoint on Rails application.
https://github.com/cookpad/omniauth-rails_csrf_protection

Last synced: about 2 months ago
JSON representation

Provides CSRF protection on OmniAuth request endpoint on Rails application.

Host: GitHub
URL: https://github.com/cookpad/omniauth-rails_csrf_protection
Owner: cookpad
License: mit
Created: 2019-05-30T05:50:40.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2024-05-10T11:22:38.000Z (5 months ago)
Last Synced: 2024-06-26T13:04:21.522Z (3 months ago)
Language: Ruby
Homepage:
Size: 33.2 KB
Stars: 221
Watchers: 19
Forks: 38
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

README

# OmniAuth - Rails CSRF Protection

This gem provides a mitigation against [CVE-2015-9284] (Cross-Site Request
Forgery on the request phase when using OmniAuth gem with a Ruby on Rails
application) by implementing a CSRF token verifier that directly uses
`ActionController::RequestForgeryProtection` code from Rails.

[CVE-2015-9284]: https://nvd.nist.gov/vuln/detail/CVE-2015-9284

## Usage

Add this line to your application's Gemfile:

```ruby
gem "omniauth-rails_csrf_protection"
```

Then run `bundle install` to install this gem.

You will then need to verify that all links in your application that would
initiate OAuth request phase are being converted to a HTTP POST form that
contains `authenticity_token` value. This might simply be done by changing all
`link_to` to `button_to`, or use `link_to ..., method: :post`.

## Under the Hood

This gem does a few things to your application:

* Disable access to the OAuth request phase using HTTP GET method.
* Insert a Rails CSRF token verifier at the before request phase.

These actions mitigate you from the attack vector described in [CVE-2015-9284].

## Contributing

Bug reports and pull requests are welcome on GitHub. This project is
intended to be a safe, welcoming space for collaboration, and contributors are
expected to adhere to the
[Contributor Covenant](http://contributor-covenant.org) code of conduct.

## License

The gem is available as open source under the terms of the
[MIT License](https://opensource.org/licenses/MIT).

## Code of Conduct

Everyone interacting in the this project’s codebases, issue trackers, chat
rooms and mailing lists is expected to follow the
[code of conduct](https://github.com/cookpad/omniauth-rails_csrf_protection/blob/main/CODE_OF_CONDUCT.md).