From 04d85c79fb4f3b3402ef9a782f3f32cd92df84b5 Mon Sep 17 00:00:00 2001
From: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date: Mon, 31 Jan 2022 18:33:02 +0100
Subject: [PATCH] Only store the 'info' part of the auth hash in the session
The auth hash can be quite large, and with session storage in cookies,
the cookie can easily reach the 4 KB limit. Work around this issue
by only storing the part of the hash we currently use.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
.../controllers/webui/session_controller.rb | 23 ++++++++++---------
src/api/app/models/user.rb | 8 +++----
2 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/src/api/app/controllers/webui/session_controller.rb b/src/api/app/controllers/webui/session_controller.rb
index 29973ef7cb..e602cf7fe0 100644
--- a/src/api/app/controllers/webui/session_controller.rb
+++ b/src/api/app/controllers/webui/session_controller.rb
@@ -46,10 +46,11 @@ class Webui::SessionController < Webui::WebuiController
def sso_callback
@auth_hash = request.env['omniauth.auth']
- user = User.find_with_omniauth(@auth_hash)
+ user = User.find_with_omniauth(@auth_hash['info'])
unless user
- session[:auth] = @auth_hash
+ session[:auth] = @auth_hash['info']
+ session[:auth]['provider'] = @auth_hash['provider']
redirect_to(sso_confirm_path)
return
end
@@ -69,19 +70,19 @@ class Webui::SessionController < Webui::WebuiController
def sso_confirm
switch_to_webui2
- auth_hash = session[:auth]
+ auth_info = session[:auth]
- if !auth_hash
+ if !auth_info
redirect_to sso_path
return
end
# Try to derive a username from the information available,
# falling back to full name if nothing else works
- @derived_username = auth_hash['info']['username'] ||
- auth_hash['info']['nickname'] ||
- auth_hash['info']['email'] ||
- auth_hash['info']['name']
+ @derived_username = auth_info['username'] ||
+ auth_info['nickname'] ||
+ auth_info['email'] ||
+ auth_info['name']
# Some providers set username or nickname to an email address
# Derive the username from the local part of the email address,
@@ -93,9 +94,9 @@ class Webui::SessionController < Webui::WebuiController
def do_sso_confirm
required_parameters :login
- auth_hash = session[:auth]
+ auth_info = session[:auth]
- if !auth_hash
+ if !auth_info
redirect_to sso_path
return
end
@@ -108,7 +109,7 @@ class Webui::SessionController < Webui::WebuiController
end
begin
- user = User.create_with_omniauth(auth_hash, params[:login])
+ user = User.create_with_omniauth(auth_info, params[:login])
rescue ActiveRecord::ActiveRecordError
flash[:error] = "Invalid username, please try a different one"
redirect_to sso_confirm_path
diff --git a/src/api/app/models/user.rb b/src/api/app/models/user.rb
index fd21734188..1156e291a7 100644
--- a/src/api/app/models/user.rb
+++ b/src/api/app/models/user.rb
@@ -226,7 +226,7 @@ class User < ApplicationRecord
def self.find_with_omniauth(auth)
if auth
- email = auth['info']['email']
+ email = auth['email']
user = find_by_email(email)
if user
user.mark_login!
@@ -238,14 +238,14 @@ class User < ApplicationRecord
def self.create_with_omniauth(auth, login)
provider = CONFIG['sso_auth'][auth['provider']]['description']
- email = auth['info']['email']
+ email = auth['email']
logger.debug("Creating OmniAuth user for #{provider}")
logger.debug("Email: #{email}")
- logger.debug("Name : #{auth['info']['name']}")
+ logger.debug("Name : #{auth['name']}")
user = create_external_user(login: login,
email: email,
- realname: auth['info']['name'],
+ realname: auth['name'],
deprecated_password_hash_type: 'invalid',
adminnote: "User created via #{provider}")
user.mark_login!
--
GitLab