Usually, when a Github app installation is initialized from my application, the omniauth gem initiates the request phase, sets the state param and the cookie and redirects users to the installation URL. After installation, the request is sent back to the backend where omniauth checks that the state param is present and that it's equal to the one in the cookie to prevent a CSRF attack. When the GitHub app is installed from the Marketplace, the user is redirected to the installation URL without the state param. When the backend receives the response, the omniauth gem raises the CSRF error. Is there a way to prevent it without resorting to setting the ignore_provider_state: true option?
This my Github strategy:
module OmniAuth
module Strategies
class GitHubApp < OmniAuth::Strategies::GitHub
option :client_options, {
site: 'https://api.github.com',
authorize_url: "https://github.com/apps/#{ENV['GITHUB_APP_SLUG']}/installations/new",
token_url: 'https://github.com/login/oauth/access_token'
}
option :redirect_url, "#{Settings.app.host}/auth/github/callback"
info do
{
'username' => raw_info['login'],
}
end
def callback_url
options.redirect_url || (full_host + callback_path)
end
end
end
end
