[Bps-public-commit] RT-Authen-OpenID branch, rt4, updated. b16d7a2fff185b9730bf7617ad450b4912d0da35

Thomas Sibley trs at bestpractical.com
Mon Mar 11 18:14:14 EDT 2013 

The branch, rt4 has been updated
       via  b16d7a2fff185b9730bf7617ad450b4912d0da35 (commit)
      from  55bb2c0b6db32f70f38d175dc1092ff94d3a8f09 (commit)

Summary of changes:
 html/Callbacks/OpenID/autohandler/Session | 2 +-
 html/NoAuth/openid                        | 5 +++++
 lib/RT/Authen/OpenID.pm                   | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 html/NoAuth/openid

- Log -----------------------------------------------------------------
commit b16d7a2fff185b9730bf7617ad450b4912d0da35
Author: Thomas Sibley <trs at bestpractical.com>
Date:   Mon Mar 11 15:11:59 2013 -0700

    Return to a specific OpenID endpoint so we can CSRF whitelist it
    
    This avoids CSRF restrictions when the user is redirected back to us
    from the OpenID provider.  Whitelisting a /NoAuth url is not currently
    required as all NoAuth paths skip CSRF protection but doing so declares
    our intent and provides a modicum of future-proofing should that
    assumption change.

diff --git a/html/Callbacks/OpenID/autohandler/Session b/html/Callbacks/OpenID/autohandler/Session
index 986d17c..042776a 100644
--- a/html/Callbacks/OpenID/autohandler/Session
+++ b/html/Callbacks/OpenID/autohandler/Session
@@ -30,7 +30,7 @@ my $csr = Net::OpenID::Consumer->new(
 if ($openid_url) {
     if ( my $claimed_identity = $csr->claimed_identity("$openid_url")) {
         $check_url = $claimed_identity->check_url(
-                return_to      => RT->Config->Get("WebURL"),
+                return_to      => RT->Config->Get("WebURL") . "NoAuth/openid",
                 delayed_return => 1,
                 trust_root     => RT->Config->Get("WebURL"),
                 );
diff --git a/html/NoAuth/openid b/html/NoAuth/openid
new file mode 100644
index 0000000..d9cc0f7
--- /dev/null
+++ b/html/NoAuth/openid
@@ -0,0 +1,5 @@
+<%init>
+# All the actual auth is handled in an autohandler callback.  This simply
+# provides a CSRF-whitelisted endpoint.
+RT::Interface::Web::Redirect( RT->Config->Get("WebPath") );
+</%init>
diff --git a/lib/RT/Authen/OpenID.pm b/lib/RT/Authen/OpenID.pm
index caf24c8..9bd1bbe 100644
--- a/lib/RT/Authen/OpenID.pm
+++ b/lib/RT/Authen/OpenID.pm
@@ -6,6 +6,9 @@ use warnings;
 
 our $VERSION = '0.04';
 
+require RT::Interface::Web;
+$RT::Interface::Web::is_whitelisted_component{'/NoAuth/openid'} = 1;
+
 =head1 NAME
 
 RT::Authen::OpenID - Allows RT to do authentication via a service which supports the OpenID API

-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list