search

isaacsanders / omniauth-stripe-connect

Stripe Connect OAuth2 Strategy for OmniAuth 1.0
MIT License
130 stars 74 forks source link

_method param being sent to Stripe Connect #57

Closed daveharris closed 1 year ago

daveharris commented 4 years ago

Hi,

I'm not sure if this is a problem caused by omniauth-stripe-connect, but I'm not sure where else to put it.

To fix CVE-2015-9284 I have upgraded my OmniAuth version to v1.9.0 and installed omniauth-rails_csrf_protection. I then update my view to add method: :post:

<%= link_to 'Connect with Stripe', user_stripe_connect_omniauth_authorize_path, class: 'ui secondary button' %>

to

<%= link_to 'Connect with Stripe', user_stripe_connect_omniauth_authorize_path, class: 'ui secondary button', method: :post %>

When clicking this link, I redirects to the URL https://connect.stripe.com/oauth/authorize?_method=post&authenticity_token=...&client_id=ca_...&response_type=code&scope=read_write&state=...

Notice that the URL contains _method=post. Stripe rejects the authentication request with an "The user denied your request" error. If I remove the _method=post from the URL it works fine.

Rails log:

Started POST "/users/auth/stripe_connect" for 127.0.0.1 at 2019-10-08 11:51:29 +1300
I, [2019-10-08T11:51:29.226410 #90294]  INFO -- omniauth: (stripe_connect) Request phase initiated.
Started GET "/users/auth/stripe_connect/callback?state=740b4e6b0a76265b85ebbdf5999febce6b3ead21e761ae07&error=access_denied&error_description=The+user+denied+your+request" for 127.0.0.1 at 2019-10-08 11:51:30 +1300
I, [2019-10-08T11:51:30.057010 #90294]  INFO -- omniauth: (stripe_connect) Callback phase initiated.
E, [2019-10-08T11:51:30.057657 #90294] ERROR -- omniauth: (stripe_connect) Authentication failure! access_denied: OmniAuth::Strategies::OAuth2::CallbackError, access_denied | The user denied your request
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"740b4e6b0a76265b85ebbdf5999febce6b3ead21e761ae07", "error"=>"access_denied", "error_description"=>"The user denied your request"}
  User Load (0.4ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 7], ["LIMIT", 1]]
  ↳ app/controllers/application_controller.rb:170
Redirected to http://localhost:3000/users/sign_in
Completed 302 Found in 2ms (ActiveRecord: 0.4ms)

The _method=post is being passed from the controller through the Stripe as the link_to helper produces this HTML <a class="ui secondary button" rel="nofollow" data-method="post" href="/users/auth/stripe_connect">Connect with Stripe</a>.

I can't use the button_to approach as the link is inside another form, but this does work if I put it outside the form.

Any ideas? I have searched for whitelisting or blacklisting parameters in omniauth and omniauth-stripe-connect but haven't come up with anything

isaacsanders commented 4 years ago

I'm sorry, I don't think I have any ideas for you currently.

edlebert commented 4 years ago

Instead of method: :post, I believe you need data: { method: :post }, or you need to use button_to instead of link_to

daveharris commented 1 year ago

Not an issue with omniauth-stripe-connect and I've been able to change where the <form> tag is so I can use a <button> instead