Is The Rails Gem 'omniauth-google-oauth2' Secure / How Does request.env work?
I've implemented the 'omniauth-google-oauth2' gem in my rails/devise app using the example pattern given on https://github.com/zquestz/omniauth-google-oauth2. However, I'm concerned that this pattern is not secure.
I have attempted to review the source code on git hub, and the official google documentation at https://developers.google.com/identity/sign-in/web/devconsole-project, however I have not been able to convince myself this pattern is secure.
From the google docs, the flow is supposed to look like this:
My security concern lies with not having a great understanding of how request.env works.
Question 1: Can a user set request.env values (for example, with something like cURL requests)?
Question 2: If so, what is stopping a malicious user from hitting an app's omniauth callback endpoint and setting the values of request.env so they can impersonate another user? For example, in the sample shown on github the callback endpoint in the controller is:
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def google_oauth2
# You need to implement the method below in your model (e.g. app/models/user.rb) @user = User.from_omniauth(request.env["omniauth.auth"]) if @user.persisted? flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Google" sign_in_and_redirect @user, :event => :authentication else session["devise.google_data"] = request.env["omniauth.auth"].except(:extra) #Removing extra as it can overflow some session stores redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n") endend
end
Question 3: My rails app server (I'm using puma) doesn't seem to be logging the request from step 5 in the diagram (exchanging code for token). I can't see that from the user's perspective in Chrome because the user isn't involved in that communication. How can I see/log/verify that call is taking place?
Question 1: Can a user set request.env values (for example, with something like cURL requests)?
Yes. request.env contains a bunch of things like incoming headers and params. But the user cannot set request.env['omniauth.auth'] as its populated with values fetched by a server side request to the provider.
Using env and request.env to pass values is a pretty standard way to pass data from Rack middleware down the pipeline. Its not a gaping security hole since user input is limited to to params and headers.
Question 2: If so, what is stopping a malicious user from hitting an app's omniauth callback endpoint and setting the values of request.env so they can impersonate another user?
The only input accepted from the user is the access token, id token and one time code. Aquiring these would require a brute force attack (on the provider) or a man in the middle attack.
Question 3: My rails app server (I'm using puma) doesn't seem to be logging the request from step 5 in the diagram (exchanging code for token). I can't see that from the user's perspective in Chrome because the user isn't involved in that communication. How can I see/log/verify that call is taking place?
There is nothing in the logs since the calls are being made from your rails server to the provider. You can use something like httplog to debug but really you should have tests which cover these aspects of the Omniauth strategy.
- rintrojs only shows first dialog in Safari
- Automatically read a column of lowercases True and False as logical
- How do I add counts to a stacked bar graph?
- Counting the number of rows between each pair of months?
- How to create a conditional panel using a reactive object that is passed from another module?
- Plot multiple normalized stock charts from different dates into a single plot
- Select columns based on string match - dplyr::select
- Looking for a more efficient way to replace matrix elements
- modelsummary modelplot: change linewidth
- custom R function with group argument does not work while using the filter
- ggsurvplot function, risk table alignment problem
- plot running average in ggplot2
- Calling variable in df within function
- How to find position of running minimum (runMin) in a vector in R?
- Using httr2::last_response() in conjunction with purrr::possibly()
- Cropping a raster using terra does not return the expected extent
- Can janitor::clean_names be used on only certain columns in a data frame?
- Efficient way of row binding time series in a data.table, with correctly sorted timestamps
- Defining optional arguments in R when more complex function
- Can I change the cursor in plotly only when hovering over points?
- Issue Loading RStoolbox: "Cannot find proj.db" Error
- Filter CSV files for specific value before importing
- Matching the same lines from 2 different files and 2 columns
- Conditional coloring and outer borders in pdf KableExtra table in R
- How can I use observe
- Posterior predictive check for GAM (mgcv in R)
- Embed images in plotly tick labels
- Product of two beta distributions
- R: how to include a character between two repeted items in R?
- Categorizing data from 7 columns into 2