aha_builder_core 1.0.5 → 1.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9b8f4ea89a8c48e32987674fde51690fb12724503ca2284af49bb462c3daf70e
|
|
4
|
+
data.tar.gz: 0ce63753cead6d93aff650414fad65863903326409508c243df9c24bfc7f912e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 795df34548c6321d7bd28f514071fbbb3b797ad5aaabb5f52b86ca8fc1b186741e4bdd87a9d91efbc7151c38e81b8d81340bcff1bb6de42e10832fe47f1bda3b
|
|
7
|
+
data.tar.gz: 417d5fe39792591decf0e02be88c2095da37cf972ae94dbf5c683e7081cd2252bfc51398d9d3e1737681b280caa85b89ba9acf3dd5905afb9133462bb66bc5f6
|
data/lib/aha/auth/version.rb
CHANGED
data/lib/aha/auth.rb
CHANGED
|
@@ -42,15 +42,15 @@ module Aha
|
|
|
42
42
|
|
|
43
43
|
# Generate login URL for redirecting users to the auth server
|
|
44
44
|
#
|
|
45
|
-
# @param
|
|
45
|
+
# @param cookies [Hash] Cookies hash to store the nonce for CSRF verification
|
|
46
46
|
# @param state [String] Optional state parameter to pass through the auth flow
|
|
47
47
|
# @return [String] The login URL
|
|
48
|
-
def login_url(
|
|
48
|
+
def login_url(cookies:, state: nil)
|
|
49
49
|
# Generate a nonce for CSRF protection
|
|
50
50
|
nonce = SecureRandom.hex(10)
|
|
51
51
|
|
|
52
52
|
# Store nonce in the client's session if provided
|
|
53
|
-
|
|
53
|
+
cookies[:auth_nonce] = nonce
|
|
54
54
|
|
|
55
55
|
# Encode the state with nonce
|
|
56
56
|
state_data = {
|
|
@@ -72,23 +72,27 @@ module Aha
|
|
|
72
72
|
# Exchange an authorization code for tokens
|
|
73
73
|
#
|
|
74
74
|
# @param code [String] The authorization code from the callback (may include nonce)
|
|
75
|
-
# @param
|
|
75
|
+
# @param cookies [Hash] Cookies hash containing the nonce for CSRF verification
|
|
76
76
|
# @return [Hash] Token response with :session_token, :refresh_token, :expires_at, :user
|
|
77
|
-
def authenticate_with_code(code:,
|
|
77
|
+
def authenticate_with_code(code:, cookies:)
|
|
78
78
|
# Split the code and nonce if present
|
|
79
79
|
actual_code, nonce = code.split(".", 2)
|
|
80
80
|
|
|
81
81
|
# Verify CSRF protection if nonce is present
|
|
82
82
|
if nonce
|
|
83
|
-
|
|
83
|
+
cookie_nonce = cookies[:auth_nonce]
|
|
84
84
|
|
|
85
85
|
# Verify nonce matches
|
|
86
|
-
if
|
|
86
|
+
if cookie_nonce.blank?
|
|
87
|
+
raise "CSRF verification failed: nonce missing in session"
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
if cookie_nonce != nonce
|
|
87
91
|
raise "CSRF verification failed: nonce mismatch"
|
|
88
92
|
end
|
|
89
93
|
|
|
90
94
|
# Clear the nonce from session after verification
|
|
91
|
-
|
|
95
|
+
cookies.delete(:auth_nonce)
|
|
92
96
|
else
|
|
93
97
|
# If we fon't have a none, we can't verify CSRF.
|
|
94
98
|
raise "CSRF verification failed: unable to verify nonce"
|
|
@@ -4,13 +4,13 @@ class SessionsController < ApplicationController
|
|
|
4
4
|
def new
|
|
5
5
|
redirect_to Aha::Auth.login_url(
|
|
6
6
|
state: { return_to: params[:return_to] || root_path }.to_json,
|
|
7
|
-
|
|
7
|
+
cookies:
|
|
8
8
|
), allow_other_host: true
|
|
9
9
|
end
|
|
10
10
|
|
|
11
11
|
def callback
|
|
12
12
|
if params[:code].present?
|
|
13
|
-
result = Aha::Auth.authenticate_with_code(code: params[:code],
|
|
13
|
+
result = Aha::Auth.authenticate_with_code(code: params[:code], cookies:)
|
|
14
14
|
|
|
15
15
|
user = User.find_or_initialize_by(auth_identifier: result[:user]["id"])
|
|
16
16
|
|