Don't delete the omniauth.state, it can contain useful data...

nexiahome-orig · Feb 22, 2016 · 7603256 · 7603256
1 parent 70198de
commit 7603256
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/lib/omniauth/strategies/nest.rb b/lib/omniauth/strategies/nest.rb
@@ -33,6 +33,25 @@ def authorize_params
         session["omniauth.state"] = params[:state]
         params
       end
+
+      def callback_phase # rubocop:disable AbcSize, CyclomaticComplexity, MethodLength, PerceivedComplexity
+        error = request.params["error_reason"] || request.params["error"]
+        if error
+          fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+        elsif !options.provider_ignores_state && (request.params["state"].to_s.empty? || request.params["state"] != session["omniauth.state"])
+          fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+        else
+          self.access_token = build_access_token
+          self.access_token = access_token.refresh! if access_token.expired?
+          super
+        end
+      rescue ::OAuth2::Error, CallbackError => e
+        fail!(:invalid_credentials, e)
+      rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+        fail!(:timeout, e)
+      rescue ::SocketError => e
+        fail!(:failed_to_connect, e)
+      end
     end
   end
 end