How does get_state work?

[mjc-gh]

In the Rails login tutorial here, a SessionHelper module is defined with a get_state method. This module looks like:

# app/helpers/session_helper.rb

module SessionHelper
  def get_state
    state = SecureRandom.hex(24)
    session['omniauth.state'] = state

    state
  end
end

I'm just curious what is responsible for calling this method? Does gem use this method or does another omniauth gem use this method? Just want to follow understand how this code is being used. Thanks!

[joshcanhelp]

Hi @mikeycgto ... thanks for the heads-up on that. I think that was an artifact of an older version of that tutorial that never got changed (even in our last revision recently). We don't want to mess around with security features like state validation and it works fine with that method in place. That said, it looks like the strategy we're extending, omniauth/omniauth-oauth2, does state validation internally.

Generated:

https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L52

Stored:

https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L58

Validated:

https://github.com/omniauth/omniauth-oauth2/blob/master/lib/omniauth/strategies/oauth2.rb#L70

... all of which was added in 2012:

https://github.com/omniauth/omniauth-oauth2/commit/9029a4a7ac92906f75c25efbde2ab4e102ac3427#diff-1894759d724182a93ca97be91b43a7bc

I just deleted that from a pair of sample apps and everything works fine: callback is functional and modifying session['omniauth.state'] mid-flight fails during the callback.

I'll bring this up with our documentation team and get that removed. Thanks again!