Project

General

Profile

Actions

Defect #15735

closed

OpenID login fails due to CSRF verification

Added by Marcel M almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Category:
Accounts / authentication
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hi,

after upgrading from 2.3.0 to 2.4.1 I could no longer login via openid.

This is the log snippet:

Generated checkid_setup request to https://openid.xxx.com/index.php?user=John.Doe
 with assocication bmshmeqgqqlrpqbu5sjo4g3g84
Started GET "/support/login?_method=post&openid1_claimed_id=...
 for 192.168.x.x at Sun Dec 15 15:24:48 +0100 2013
Processing by AccountController#login as HTML
  Parameters: {"openid1_claimed_id"=>"https://openid.xxx.com/John.Doe", "rp_nonce"=>"2013-12-15T14:24:43ZZ0jbBB"}
WARNING: Can't verify CSRF token authenticity
  Rendered common/error.html.erb within layouts/base (0.8ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 422 Unprocessable Entity in 28.0ms (Views: 27.3ms | ActiveRecord: 0.0ms)

After googling a bit I found a solution based on this https://github.com/xaviershay/enki/issues/91

So I tweaked app/controllers/account_controller.rb a bit:

diff redmine/app/controllers/account_controller.rb redmine-2.4.1/app/controllers/account_controller.rb
23,25c23
<   skip_before_filter :check_if_login_required, :check_password_change, :verify_authenticity_token, :only => :login
<   before_filter :verify_authenticity_token_unless_openid, :only => :create
< 
---
>   skip_before_filter :check_if_login_required, :check_password_change
345,349d342
< 
<   def verify_authenticity_token_unless_openid
<     verify_authenticity_token unless using_open_id?
<   end
<

and I can now successfully login.

From my point of view I did not introduce a security issue here but a 2nd opionion would be great before this is added to redmine.

Actions #1

Updated by Toshi MARUYAMA almost 11 years ago

  • Target version set to 2.4.2
Actions #2

Updated by Jean-Philippe Lang almost 11 years ago

  • Subject changed from OpenID login and CSRF failure to OpenID login fails due to CSRF verification
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

This is fixed in r12438, thanks for pointing this out.

Actions #3

Updated by Jean-Philippe Lang almost 11 years ago

  • Status changed from Resolved to Closed

Merged.

Actions #4

Updated by Jean-Philippe Lang almost 11 years ago

  • Has duplicate Feature #11907: Custom Field Version (Locked/Open) added
Actions #5

Updated by Jean-Philippe Lang almost 11 years ago

  • Has duplicate deleted (Feature #11907: Custom Field Version (Locked/Open))
Actions

Also available in: Atom PDF