Discourse Cookie Store: Omniauth callback sessions are nil


(Leo) #1

In my custom oauth2 login I’m saving some session values. It was working fine till I recently pulled the latest code from branch tests-passed and noticed that session is always nil in omniauth_callback_controller.rb

def complete
auth = request.env[“omniauth.auth”]
auth[:session] = session # it doesn’t contain my session value

Then i found out session_store was changed in latest pull

Discourse::Application.config.session_store(
:discourse_cookie_store, #it use to be :cookie_store
key: ‘_forum_session’,
path: (Rails.application.config.relative_url_root.nil?) ? ‘/’ : Rails.application.config.relative_url_root
)

even it raises csrf_detected failure at callback_phase method at oauth2 strategy file if opts[:provider_ignores_state] is set to true, cuz session[‘omniauth.state’] is nil

elsif !options.provider_ignores_state && (request.params[“state”].to_s.empty? || request.params[“state”] != session.delete(“omniauth.state”))
fail!(:csrf_detected, CallbackError.new(:csrf_detected, “CSRF detected”))

Just to mention, everything works fine if I change it to :cookie_store rather than ':discourse_cookie_store`. is it a bug?


(Jeff Atwood) #2

Any ideas here @eviltrout?


(Robin Ward) #4

Looking at git blame, the :discourse_cookie_store change was 5 months ago. Were you working with a branch that’s over 5 months old? If so I’m not surprised it broke!


(Leo) #5

It had to do with the recent addition of extra security for cookies same site cookies in discourse, which prevents sharing cookies with third party sites, which is kind of secure. I’m using a bit complex authentication system which involves SSO and OAuth2, where i had to share some cookies with our known authentication server. I added an exception in terms of sharing cookies with this server while perserving same site cookies feature and everything is working fine.
Thanks for response and such an awesome forum application. @codinghorror @eviltrout :grinning:


(Robin Ward) #6