Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: test devise github oauth integration #561

Draft
wants to merge 65 commits into
base: dev
Choose a base branch
from
Draft

WIP: test devise github oauth integration #561

wants to merge 65 commits into from

Conversation

rsmithlal
Copy link
Member

No description provided.

@rsmithlal rsmithlal self-assigned this Jun 11, 2024
@rsmithlal rsmithlal added the enhancement New feature or request label Jun 11, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 12, 2024
View reviewed changes
app/controllers/better_together/omniauth_callbacks_controller.rb Outdated
module BetterTogether
class OmniauthCallbacksController < Devise::OmniauthCallbacksController # rubocop:todo Style/Documentation
# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
skip_before_action :verify_authenticity_token, only: %i[github]

Check failure

Code scanning / CodeQL

CSRF protection weakened or disabled High

Potential CSRF vulnerability due to forgery protection being disabled or weakened.

Copilot Autofix AI about 16 hours ago

To fix the problem, we need to ensure that CSRF protection is enabled for the github action. Instead of skipping the CSRF token verification, we can use a different approach to handle the OAuth callback securely. One common method is to use the state parameter provided by OAuth to include a CSRF token in the request and verify it upon callback.

  1. Remove the skip_before_action :verify_authenticity_token, only: %i[github] line.
  2. Implement a method to generate a CSRF token and include it in the OAuth request as the state parameter.
  3. Verify the state parameter in the callback to ensure it matches the CSRF token.
Suggested changeset 1
app/controllers/better_together/omniauth_callbacks_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/better_together/omniauth_callbacks_controller.rb b/app/controllers/better_together/omniauth_callbacks_controller.rb
--- a/app/controllers/better_together/omniauth_callbacks_controller.rb
+++ b/app/controllers/better_together/omniauth_callbacks_controller.rb
@@ -5,3 +5,3 @@
     # See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
-    skip_before_action :verify_authenticity_token, only: %i[github]
+    before_action :verify_oauth_state, only: %i[github]
 
@@ -9,2 +9,3 @@
     before_action :set_user, except: [:failure]
+    before_action :generate_oauth_state, only: %i[github]
 
@@ -18,2 +19,9 @@
 
+    def verify_oauth_state
+      if params[:state] != session[:oauth_state]
+        flash[:alert] = 'Invalid OAuth state parameter'
+        redirect_to new_user_registration_path
+      end
+    end
+
     def handle_auth(kind) # rubocop:todo Metrics/AbcSize
@@ -45,2 +53,6 @@
     end
+
+    def generate_oauth_state
+      session[:oauth_state] = SecureRandom.hex(24)
+    end
 
EOF
@@ -5,3 +5,3 @@
# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
skip_before_action :verify_authenticity_token, only: %i[github]
before_action :verify_oauth_state, only: %i[github]

@@ -9,2 +9,3 @@
before_action :set_user, except: [:failure]
before_action :generate_oauth_state, only: %i[github]

@@ -18,2 +19,9 @@

def verify_oauth_state
if params[:state] != session[:oauth_state]
flash[:alert] = 'Invalid OAuth state parameter'
redirect_to new_user_registration_path
end
end

def handle_auth(kind) # rubocop:todo Metrics/AbcSize
@@ -45,2 +53,6 @@
end

def generate_oauth_state
session[:oauth_state] = SecureRandom.hex(24)
end

Copilot is powered by AI and may make mistakes. Always verify output.
@rsmithlal rsmithlal committed this autofix suggestion about 16 hours ago.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
rsmithlal and others added 9 commits June 16, 2024 18:45
@rsmithlal
WIP: attempt to correctly sign_in the user after oauth
8bc4afa
@rsmithlal
Rubocop fixes
3bdbd69
@rsmithlal
Merge branch 'main' into feature/github-integration
72272b1 
Signed-off-by: Robert Smith <[email protected]>
@dependabot
Build(deps): Bump ruby-openai from 7.3.1 to 7.4.0
affb5b4 
Bumps [ruby-openai](https://github.com/alexrudall/ruby-openai) from 7.3.1 to 7.4.0.
- [Release notes](https://github.com/alexrudall/ruby-openai/releases)
- [Changelog](https://github.com/alexrudall/ruby-openai/blob/main/CHANGELOG.md)
- [Commits](alexrudall/ruby-openai@v7.3.1...v7.4.0)

---
updated-dependencies:
- dependency-name: ruby-openai
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Build(deps): Bump aws-sdk-s3 from 1.181.0 to 1.182.0
749587e 
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.181.0 to 1.182.0.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

---
updated-dependencies:
- dependency-name: aws-sdk-s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Build(deps-dev): Bump selenium-webdriver from 4.28.0 to 4.29.0
7009ffe 
Bumps [selenium-webdriver](https://github.com/SeleniumHQ/selenium) from 4.28.0 to 4.29.0.
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](SeleniumHQ/selenium@selenium-4.28.0...selenium-4.29.0)

---
updated-dependencies:
- dependency-name: selenium-webdriver
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Build(deps): Bump redis from 5.3.0 to 5.4.0
75b8434 
Bumps [redis](https://github.com/redis/redis-rb) from 5.3.0 to 5.4.0.
- [Changelog](https://github.com/redis/redis-rb/blob/master/CHANGELOG.md)
- [Commits](redis/redis-rb@v5.3.0...v5.4.0)

---
updated-dependencies:
- dependency-name: redis
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@rsmithlal
Build(deps): Bump redis from 5.3.0 to 5.4.0 (#772)
5ade9f9 
Bumps [redis](https://github.com/redis/redis-rb) from 5.3.0 to 5.4.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/redis/redis-rb/blob/master/CHANGELOG.md">redis's
changelog</a>.</em></p>
<blockquote>
<h1>5.4.0</h1>
<ul>
<li>Fix <code>blmpop</code> method to actually use <code>BLMPOP</code>,
it was mistakenly issuing <code>LMPOP</code> commands.</li>
<li><code>xadd</code> now accepts a <code>minid:</code> argument.</li>
<li><code>zrank</code> and <code>zrevrank</code> now accepts
<code>with_score:</code> argument.</li>
<li><code>Redis#call</code> now accept a block, allowing to use
<code>Redis</code> instances where <code>RedisClient</code> is
expected.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/redis/redis-rb/commit/082d19800505c949294ce9dc6b91be9b9e539aed"><code>082d198</code></a>
Release 5.4.0</li>
<li><a
href="https://github.com/redis/redis-rb/commit/00f7a9f60f05b903c556b6f19b11a5fa12b2256e"><code>00f7a9f</code></a>
Merge pull request <a
href="https://redirect.github.com/redis/redis-rb/issues/1310">#1310</a>
from redis/fix-blmpop</li>
<li><a
href="https://github.com/redis/redis-rb/commit/b2a2ddf08aa0dcda3c56cd68d59f2304c78cfc96"><code>b2a2ddf</code></a>
Fix Redis#blmpop to actually send BLMPOP</li>
<li><a
href="https://github.com/redis/redis-rb/commit/2a4544c05e5913446b9b924135514b008d876b80"><code>2a4544c</code></a>
Merge pull request <a
href="https://redirect.github.com/redis/redis-rb/issues/1309">#1309</a>
from willbryant/xadd_minid</li>
<li><a
href="https://github.com/redis/redis-rb/commit/4eb23d7c57ad8dfc84744cae085db6e31f8117e2"><code>4eb23d7</code></a>
Support the MINID option for XADD</li>
<li><a
href="https://github.com/redis/redis-rb/commit/55725a24b3945eb0b6bb558b6bc42a4c66229e14"><code>55725a2</code></a>
Fix rubocop on newer rubies</li>
<li><a
href="https://github.com/redis/redis-rb/commit/b6fd17b28be94cb497d76c9394676d8317e941d5"><code>b6fd17b</code></a>
Merge pull request <a
href="https://redirect.github.com/redis/redis-rb/issues/1307">#1307</a>
from ozennou/patch-1</li>
<li><a
href="https://github.com/redis/redis-rb/commit/d1ddf7c3b7a4fe9a3557a017e99358ba93b4adbc"><code>d1ddf7c</code></a>
Update CI configuration</li>
<li><a
href="https://github.com/redis/redis-rb/commit/3669beb9d30e690cfc228053ea6115b49cd98bd6"><code>3669beb</code></a>
Merge pull request <a
href="https://redirect.github.com/redis/redis-rb/issues/1300">#1300</a>
from Hugo-Hache/hh/zrevrank-withscore</li>
<li><a
href="https://github.com/redis/redis-rb/commit/fb709081368d76202a7cc113c7ae20536e159faa"><code>fb70908</code></a>
Add :with_score option to zrank and zrevrank</li>
<li>Additional commits viewable in <a
href="https://github.com/redis/redis-rb/compare/v5.3.0...v5.4.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=redis&package-manager=bundler&previous-version=5.3.0&new-version=5.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
@rsmithlal
Build(deps): Bump aws-sdk-s3 from 1.181.0 to 1.182.0 (#770)
6c8d612 
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) from 1.181.0 to
1.182.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md">aws-sdk-s3's
changelog</a>.</em></p>
<blockquote>
<h2>1.182.0 (2025-02-18)</h2>
<ul>
<li>Feature - Code Generated Changes, see <code>./build_tools</code> or
<code>aws-sdk-core</code>'s CHANGELOG.md for details.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/aws/aws-sdk-ruby/commits">compare view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=aws-sdk-s3&package-manager=bundler&previous-version=1.181.0&new-version=1.182.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>
rsmithlal added 21 commits March 1, 2025 11:15
@rsmithlal
Default locale to current_person's locale if not in params and person…
0cf31b7 
… locale exists
@rsmithlal
Rubocop fixes
93149c0
@rsmithlal
Address misaligned locale count and url csv headers
fe025da
@rsmithlal
Adjust heading level of new page view report header
12a9d28
@rsmithlal
Update rubyonrails.yml
df59892 
Signed-off-by: Robert Smith <[email protected]>
@rsmithlal
rubocop:disable Style/CombinableLoops for page view report csv headers
dfb4dd0
@rsmithlal
Relocate model concerns to models/concerns directory
1254186
@rsmithlal
Rename Metrics::Pageable concern to Viewable
04ea923
@rsmithlal
Add LinkClickReport and new tabbed section in link click report metri…
850edda 
…cs tab
@rsmithlal
Render conversations inside of communicator view
4af60c2
@rsmithlal
Re-implement flexible invitation model
d9a4a1a
@rsmithlal
Re-implement Post model
275fd16
@rsmithlal
Re-implement Authorship system
a773b3b
@rsmithlal
Adjust page migration to use the bt_privacy helper
e11d25a
@rsmithlal
Make Community Searchable
d12eee2
@rsmithlal
Rubocop fixes
25c4405
@rsmithlal
Allow navigation items to have fallback urls that include their ident…
adbd0ea 
…ifier as a hash value
@rsmithlal
Improve structure of importmap channels
d3712d5
@rsmithlal
Add initial feature spec for setup wizard. Coverage 28.87%
ce61d54
@rsmithlal
Disable html content for posts for now
bab1aeb 
failing test
@rsmithlal
Set post slugged after slugged attribute is defined
4872016
@rsmithlal rsmithlal changed the base branch from main to dev March 1, 2025 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rsmithlal rsmithlal

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rsmithlal