discourse/lib/middleware/omniauth_bypass_middleware.rb

# frozen_string_literal: true

# omniauth loves spending lots cycles in its magic middleware stack
# this middleware bypasses omniauth middleware and only hits it when needed
class Middleware::OmniauthBypassMiddleware
  module OmniAuthStrategyCompatPatch
    def callback_url
      result = super
      if script_name.present? && result.include?("#{script_name}#{script_name}")
        result = result.gsub("#{script_name}#{script_name}", script_name)
        Discourse.deprecate <<~MESSAGE
          OmniAuth strategy '#{name}' included duplicate script_name in callback url. It's likely the callback_url method is concatenating `script_name` with `callback_path`.
          OmniAuth v2 includes the `script_name` in the `callback_path` automatically, so the manual `script_name` call can be removed.
          This issue has been automatically corrected, but the strategy should be updated to ensure subfolder compatibility with future versions of Discourse.
        MESSAGE
      end
      result
    end
  end

  class PatchedOmniAuthBuilder < OmniAuth::Builder
    def use(strategy, *args, **kwargs, &block)
      if !strategy.ancestors.include?(OmniAuthStrategyCompatPatch)
        strategy.prepend(OmniAuthStrategyCompatPatch)
      end
      super(strategy, *args, **kwargs, &block)
    end
  end

  def initialize(app, options = {})
    @app = app
  end

  def call(env)
    return @app.call(env) unless env["PATH_INFO"].start_with?("/auth")

    # When only one provider is enabled, assume it can be completely trusted, and allow GET requests
    only_one_provider =
      !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1

    allow_get = only_one_provider || !SiteSetting.auth_require_interaction

    OmniAuth.config.allowed_request_methods = allow_get ? %i[get post] : [:post]

    omniauth =
      PatchedOmniAuthBuilder.new(@app) do
        Discourse.enabled_authenticators.each do |authenticator|
          authenticator.register_middleware(self)
        end
      end

    omniauth.call(env)
  end
end
PERF: bypass omniauth unless in an auth path 2018-01-15 12:44:41 +11:00			`# frozen_string_literal: true`

			`# omniauth loves spending lots cycles in its magic middleware stack`
			`# this middleware bypasses omniauth middleware and only hits it when needed`
			`class Middleware::OmniauthBypassMiddleware`
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00			`module OmniAuthStrategyCompatPatch`
			`def callback_url`
			`result = super`
			`if script_name.present? && result.include?("#{script_name}#{script_name}")`
			`result = result.gsub("#{script_name}#{script_name}", script_name)`
			`Discourse.deprecate <<~MESSAGE`
			OmniAuth strategy '#{name}' included duplicate script_name in callback url. It's likely the callback_url method is concatenating `script_name` with `callback_path`.
			OmniAuth v2 includes the `script_name` in the `callback_path` automatically, so the manual `script_name` call can be removed.
			`This issue has been automatically corrected, but the strategy should be updated to ensure subfolder compatibility with future versions of Discourse.`
			`MESSAGE`
			`end`
			`result`
			`end`
			`end`

			`class PatchedOmniAuthBuilder < OmniAuth::Builder`
			`def use(strategy, args, *kwargs, &block)`
			`if !strategy.ancestors.include?(OmniAuthStrategyCompatPatch)`
			`strategy.prepend(OmniAuthStrategyCompatPatch)`
			`end`
			`super(strategy, args, *kwargs, &block)`
			`end`
UX: Improve error handling for common OmniAuth exceptions (#7991) This displays more useful messages for the most common issues we see: - CSRF (when the user switches browser) - Invalid IAT (when the server clock is wrong) - OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase. 2019-08-12 10:55:02 +01:00			`end`
PERF: bypass omniauth unless in an auth path 2018-01-15 12:44:41 +11:00
			`def initialize(app, options = {})`
			`@app = app`
			`end`

			`def call(env)`
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00			`return @app.call(env) unless env["PATH_INFO"].start_with?("/auth")`
FEATURE: Allow admins to opt-in to seamless redirects on `/auth/*` (#31235) By default, when multiple login providers are enabled, Discourse requires user interaction before triggering an external auth flow. This is defense-in-depth against "Login CSRF" attacks. This commit introduces a setting to control this behavior, so that it can be disabled when admins fully trust the downstream systems, and need an interaction-free login flow on a site with multiple login providers. Default behavior remains unchanged. 2025-02-07 11:43:39 +00:00
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00			`# When only one provider is enabled, assume it can be completely trusted, and allow GET requests`
			`only_one_provider =`
			`!SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1`
FEATURE: Allow admins to opt-in to seamless redirects on `/auth/*` (#31235) By default, when multiple login providers are enabled, Discourse requires user interaction before triggering an external auth flow. This is defense-in-depth against "Login CSRF" attacks. This commit introduces a setting to control this behavior, so that it can be disabled when admins fully trust the downstream systems, and need an interaction-free login flow on a site with multiple login providers. Default behavior remains unchanged. 2025-02-07 11:43:39 +00:00
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00			`allow_get = only_one_provider \|\| !SiteSetting.auth_require_interaction`
DEV: If only one auth provider is enabled allow GET request In this case, the auth provider is acting as a SSO provider, and can be trusted to maintain its own CSRF protections. 2019-08-09 14:44:03 +01:00
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00			`OmniAuth.config.allowed_request_methods = allow_get ? %i[get post] : [:post]`
DEV: Only run omniauth strategies for enabled authenticators (#24094) Previously, we would build the stack of omniauth authenticators once on boot. That meant that all strategies had to be included, even if they were disabled. We then used the `before_request_phase` to ensure disabled strategies could not be used. This works well, but it means that omniauth is often doing unnecessary work running logic in disabled strategies. This commit refactors things so that we build the stack of strategies on each request. That means we only need to include the enabled strategies in the stack - disabled strategies are totally ignored. Building the stack on-demand like this does add some overhead to auth requests, but on the majority of sites that will be significantly outweighed by the fact we're now skipping logic for disabled authenticators. As well as the slight performance improvement, this new approach means that: - Broken (i.e. exception-raising) strategies cannot cause issues on a site if they're disabled - `other_phase` of disabled strategies will never appear in the backtrace of other authentication errors 2023-10-25 13:52:33 +01:00
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00			`omniauth =`
			`PatchedOmniAuthBuilder.new(@app) do`
			`Discourse.enabled_authenticators.each do \|authenticator\|`
			`authenticator.register_middleware(self)`
			`end`
UX: Improve error handling for common OmniAuth exceptions (#7991) This displays more useful messages for the most common issues we see: - CSRF (when the user switches browser) - Invalid IAT (when the server clock is wrong) - OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase. 2019-08-12 10:55:02 +01:00			`end`
DEV: Update to OmniAuth 2.0 (#25707) 2025-02-11 11:18:07 +00:00
			`omniauth.call(env)`
PERF: bypass omniauth unless in an auth path 2018-01-15 12:44:41 +11:00			`end`
			`end`