Is The Rails Gem 'omniauth-google-oauth2' Secure / How Does request.env work?
I've implemented the 'omniauth-google-oauth2' gem in my rails/devise app using the example pattern given on https://github.com/zquestz/omniauth-google-oauth2. However, I'm concerned that this pattern is not secure.
I have attempted to review the source code on git hub, and the official google documentation at https://developers.google.com/identity/sign-in/web/devconsole-project, however I have not been able to convince myself this pattern is secure.
From the google docs, the flow is supposed to look like this:
My security concern lies with not having a great understanding of how request.env works.
Question 1: Can a user set request.env values (for example, with something like cURL requests)?
Question 2: If so, what is stopping a malicious user from hitting an app's omniauth callback endpoint and setting the values of request.env so they can impersonate another user? For example, in the sample shown on github the callback endpoint in the controller is:
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def google_oauth2
# You need to implement the method below in your model (e.g. app/models/user.rb) @user = User.from_omniauth(request.env["omniauth.auth"]) if @user.persisted? flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "Google" sign_in_and_redirect @user, :event => :authentication else session["devise.google_data"] = request.env["omniauth.auth"].except(:extra) #Removing extra as it can overflow some session stores redirect_to new_user_registration_url, alert: @user.errors.full_messages.join("\n") endend
end
Question 3: My rails app server (I'm using puma) doesn't seem to be logging the request from step 5 in the diagram (exchanging code for token). I can't see that from the user's perspective in Chrome because the user isn't involved in that communication. How can I see/log/verify that call is taking place?
Question 1: Can a user set request.env values (for example, with something like cURL requests)?
Yes. request.env contains a bunch of things like incoming headers and params. But the user cannot set request.env['omniauth.auth'] as its populated with values fetched by a server side request to the provider.
Using env and request.env to pass values is a pretty standard way to pass data from Rack middleware down the pipeline. Its not a gaping security hole since user input is limited to to params and headers.
Question 2: If so, what is stopping a malicious user from hitting an app's omniauth callback endpoint and setting the values of request.env so they can impersonate another user?
The only input accepted from the user is the access token, id token and one time code. Aquiring these would require a brute force attack (on the provider) or a man in the middle attack.
Question 3: My rails app server (I'm using puma) doesn't seem to be logging the request from step 5 in the diagram (exchanging code for token). I can't see that from the user's perspective in Chrome because the user isn't involved in that communication. How can I see/log/verify that call is taking place?
There is nothing in the logs since the calls are being made from your rails server to the provider. You can use something like httplog to debug but really you should have tests which cover these aspects of the Omniauth strategy.
- How do you retrieve up to 3200 statuses in rails?
- Installed sqlite3 but still getting error couldn't find database client: sqlite3. Check your $PATH and try again.
- Can RSpec stubbed method return different values in sequence?
- Ruby on Rails: Load Utility Module for Unit Test
- Ruby on Rails hashed password using BCrypt not saving to postgres users table
- ActiveRecord exists? with associations
- Stripe connect onboarding limiting country? (locked to 'Australia')
- Polymorphic Association not working with ActiveHash
- How to import Tailwind plugin in Rails 7
- How can I avoid running ActiveRecord callbacks?
- What's :locals for in render in rails?
- Implement a derived attribute in Rails 7
- How to select where ID in Array Rails ActiveRecord without exception
- error connecting external database with rails
- Calling a turbo stream from within another one
- How do I render a partial of a different format in Rails?
- How do I use the "turbo:frame-load" event with Hotwire and Stimulus in Rails?
- Rails5 Directly inheriting from from ActiveRecord::Migration is not supported. Sorcery Gem
- Uninitialized constant Admin::Admin
- In Rails, how to have an /admin section, and then controllers within the admin section?
- How to use tailwind css gem in a rails 7 engine?
- Rails Active Storage - Keep Existing Files / Uploads?
- Multiple hits to an API bringing server to it's knees
- Trying to allow creation of a related object in Ruby on Rails form
- Adding * to required form labels
- Rails 4 + Capistrano 3 - Deploy to Production Server from Local Repo
- How to set up has_many, through: with only unique combinations
- Rails 3.0.2 installation build fails with "error: 'maybe_unused' attribute cannot be applied to types"
- Reserved names with ActiveRecord models
- How do I order by lower-cased field on an aliased association without manually specifying a join?