Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Conversation

xinz
Copy link
Contributor

@xinz xinz commented May 17, 2021

Hello,

In the #136 PR, we add a feature to protect CSRF attack by put the state parameter into cookie, and we remove the state cookie is after the handle_callback!/1 function of the strategy in this changes, before this PR changes, in the handle_callback!/1 function of the strategy we can do any proper process with Plug, but now we may see a similar "AlreadySentError" error if we make a redirection in the handle_callback!/1:

  1) test make ensure run_callback properly clean the internal state param in cookie (UeberauthTest)
     test/ueberauth_test.exs:233
     ** (Plug.Conn.AlreadySentError) the response was already sent
     code: |> Ueberauth.run_callback(
     stacktrace:
       (plug 1.11.0) lib/plug/conn.ex:1720: Plug.Conn.update_cookies/2
       (ueberauth 0.6.3) lib/ueberauth/strategy.ex:370: Ueberauth.Strategy.run_handle_cleanup/2
       test/ueberauth_test.exs:251: (test)

In this PR, I change to put the state cookie clean before run handle_callback!/1, since the state parameter in cookie should be transparent for the strategy, and add a test case to catch this.

Please review and advise, cc @yordis @doomspork .

Thanks.

@xinz xinz requested a review from a team as a code owner May 17, 2021 03:22
@xinz xinz mentioned this pull request May 17, 2021
Copy link
Member

@doomspork doomspork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @xinz 🎉 Just a few small change requests

@xinz
Copy link
Contributor Author

xinz commented May 17, 2021

Hi @doomspork, thanks for your suggestions, please review again when you have time for it.

@doomspork
Copy link
Member

Thank you @xinz! 💜

@yordis do you want to take a quick peek at this before merging?

@doomspork doomspork dismissed their stale review May 17, 2021 13:38

Stale

@xinz xinz requested a review from doomspork May 17, 2021 14:55
@xinz
Copy link
Contributor Author

xinz commented May 17, 2021

Sorry that I accidentally re-click the send review request button if disturbed.

@doomspork doomspork merged commit a05bd32 into ueberauth:master Jun 11, 2021
@xinz xinz deleted the remove_state_cookie branch June 21, 2021 04:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants