{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 劳资没心,怎么记你 的问题《Rails - Strategies for avoiding OmniAuth and shari》','https://www.manongdao.com/q-873989.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
While testing Omniauth and following the popular Ryan Bates' videos, I thought that there is a major security hole. Here is an example
I have two users: Aurelien and John
John in the morning logs in onto twitter but forgets to log out. Then he goes on myapplication and connects to the Twitter service through the http://myapplication.com/auth/twitter. He is automatically assigned to a Twitter Authentication, because Twitter remembers that John was logged in. John goes to work.
Meanwhile his brother Aurelien goes on the same computer and uses myapplication. He decides he wishes to post a Tweet from myapplication and continues to the http://myapplication.com/auth/twitter to sign in into his Twitter account through OmniAuth. What a surprise! he doesn't need to log in, but when redirected to the callback URL he discovers he is currently logged in as John!
Nowadays I want to believe that the majority of users don't share their computer/table/phone, but I am sure this is a recurrent problem.
What strategy or logic you could follow to prevent from this to happen?
For instance, how can you make sure that when a different user from myapplication is required to login onto Twitter instead of using the session of Twitter that was previously open?
Examples are welcome!
Luckily, there's a Twitter OAuth option called
force_loginthat covers that risk. There are 2 ways you can use it:Add this option to your OmniAuth config:
And every time someone connects to the Twitter service through
http://myapp.com/auth/twitter, he is automatically logged out of Twitter.Or you can just add this option to a URL on a case by case basis. So for example:
http://myapp.com/auth/twitterwill behave as normally.http://myapp.com/auth/twitter?force_login=truewill force the user to log out of Twitter.Btw, this is all in the omniauth-twitter gem's README.
One final note: this option only exists for omniauth-twitter. Other OmniAuth providers may have similar options, but others may have none at all. For example, Facebook has an
auth_typeoption that when set toreauthenticatewill ask the user to just enter his password when he tries to log in. This, however, will not log out the user from Facebook. Sometimes this is what you want, sometimes it is not. Logging out the user from other services can be quite bothersome. I'd actually like if all providers had these two options so we could choose which one to use (log out the user from the external service OR just ask for the password again) but I guess we'll have to be content with what we have. For example, as far as I know, Google has no protection for this risk.