Project

omniauth-rails_csrf_protection

0.93
Low commit activity in last 3 years
No release in over a year
omniauth-rails_csrf_protectioncookpad/omniauth-rails_csrf_protectionHomepageDocumentationSource CodeBug Tracker
This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails application) by implementing a CSRF token verifier that directly utilize `ActionController::RequestForgeryProtection` code from Rails.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
33,918,309
Stars
214
Forks
36
Watchers
19
 Releases
Current version
1.0.1
Total releases
5
First release
2019-05-30
Latest release
2022-02-07
 Issues
Open Issues
2
Closed Issues
6
Total Issues
8
Issue Closure Rate
75%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
1
Merged Pull Requests
8
Pull Request Acceptance Rate
88%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2020-12-18
Reverse Dependencies
23

 Dependencies

Development

bundler
>= 0
minitest
>= 0
rails
>= 0
rake
>= 0

Runtime

actionpack
>= 4.2
omniauth
~> 2.0
 Project Readme

OmniAuth - Rails CSRF Protection

This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request Forgery on the request phase when using OmniAuth gem with a Ruby on Rails application) by implementing a CSRF token verifier that directly uses ActionController::RequestForgeryProtection code from Rails.

Usage

Add this line to your application's Gemfile:

gem "omniauth-rails_csrf_protection"

Then run bundle install to install this gem.

You will then need to verify that all links in your application that would initiate OAuth request phase are being converted to a HTTP POST form that contains authenticity_token value. This might simply be done by changing all link_to to button_to, or use link_to ..., method: :post.

Under the Hood

This gem does a few things to your application:

  • Disable access to the OAuth request phase using HTTP GET method.
  • Insert a Rails CSRF token verifier at the before request phase.

These actions mitigate you from the attack vector described in CVE-2015-9284.

Contributing

Bug reports and pull requests are welcome on GitHub. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the this project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.