Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding Ruby "CSRF detected" with Omniauth and Google

Thread Rating:
  • 478 Vote(s) - 3.58 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
"CSRF detected" with Omniauth and Google

Offline aligarh852


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Mar 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-18-2023, 04:03 PM
I'm getting this

> OmniAuth::Strategies::OAuth2::CallbackError at /auth/google/callback
> csrf_detected | CSRF detected

My code:

require 'sinatra'
require "sinatra/json"
require "sinatra/config_file"
require 'omniauth-oauth2'
require 'omniauth-google-oauth2'

use Rack::Logger

config_file "config/app_config.yml"
use Rack::Session::Cookie, secret: '5fb7w345y3489f523y4h'

configure do
enable :sessions
end

use OmniAuth::Builder do
provider :google_oauth2, settings.google[:client_id], settings.google[:secret],
{
:scope => "userinfo.profile",
:access_type => "offline",
:prompt => "select_account consent",
:name => "google"
}
end

get '/list' do
json get_list
end

get '/' do
%Q|<a href='/auth/google'>Sign in with Google</a>|
end

get '/auth/:name/callback' do
@auth = request.env['omniauth.auth']
@auth.inspect
end

My callback is returning both code and state.
Reply

Offline queridas235


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Apr 2018
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-18-2023, 04:04 PM
Are you hitting back and reattempting to log in? I was getting this issue and it was really confusing me, but it was because I was going back to retry. If I typed in the address again, I wouldn't get the issue
Reply

Offline cercaria551050


Luxury
*****
Luxury
Posts: 0
Threads: 0
Joined: Dec 2017
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-18-2023, 04:15 PM
If you are using Devise with OmniAuth you need to skip the extra omniauth.rb initializer file and simply add config.provider "KEY", "SECRET" inside your initializers/devise.rb and then carry on with your implementation.
Reply

Offline caridadcarie645


Member
*
Member
Posts: 0
Threads: 0
Joined: Feb 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#4
07-18-2023, 04:47 PM
Got the same problem

> (google_oauth2) Callback phase initiated.
> (google_oauth2)
> Authentication failure! csrf_detected:
> OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF
> detected


Last Omniauth-oauth2 update introduced the "state" param has a mandatory field.

Some people suggest using provider_ignores_state: true but it's a bad idea because it introduces csrf flaw

Guess we'll have to downgrade to previous version to keep google_oauth2 working.

Issue it on

[To see links please register here]

Reply

Offline kokoruda389


Member
*
Member
Posts: 0
Threads: 0
Joined: Jun 2017
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#5
07-18-2023, 05:10 PM
This problem occurs with rails when the domain defined in `/config/initializer/session_store.rb` is different from the origin/redirect_uri defined in the google api console.

MyApp::Application.config.session_store :cookie_store, key: '_app_session', domain: 'my_app.com'

Removing the domain params or using the same domain on both sides fixed the problem.
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through