Closed classicboy closed 1 year ago
I am getting exactly the same error.
Hey @classicboy check this out: https://github.com/nhosoya/omniauth-apple/issues/54#issuecomment-662741233 and https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Hello everyone, I was getting an "Can't verify CSRF token authenticity" after Apple sign in page. As said by @pablomarti I added the gem : https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 but now I'm getting an "ActionController::InvalidAuthenticityToken" just like you @classicboy. Did you managed to fix your issue ? Any idea on what's going on and how to fix it ?
See this interesting discussion from the Discourse guys trying to implement Apple SSO on their website.
The trouble is Apple using a POST
for the final redirect. i created a dedicated controller in my Rails app to receive this POST
request from Apple, on which I specifically disable all CSRF checks, and this controller just redirects to the standard OmniAuth callback URL like this:
redirect_to "/users/auth/apple/callback?state=#{request.params["state"]}&code=#{request.params["code"]}"
From testing with Apple SSO on the Discourse website, it looks like this is what they are doing.
Hope this helps!
@esellin thanks for the answer !
I finally managed to make it work by adding skip_before_action :verify_authenticity_token, only: :apple
at the top of my omniauth_callbacks_controller.rb
but after I was getting Can't verify CSRF token authenticity.
and to fix it in config/initializers/session_store.rb
I removed the domain: ...
Is it possible to implement something like Discourse plugin solution https://github.com/discourse/discourse-apple-auth/blob/40ef076fa744d562ce54f3f30921a1b387e042fb/lib/omniauth_apple.rb#L60 in this gem?
@esellin Your solution worked for me, though I had to also pass through user
to get the user name properly. However, once I added Sign In With Apple JS it stopped working and started failing with csrf_detected
.
Anybody have ideas?
Did you solve your issue @wilg?
I think I did get it working but can't look up the solution at this moment.
No worries @wilg I will keep investigating, the thing is that I am working with a Rails API and the solution from @Meat-Chopper does not work for me. If I find the answer I will post it here.
set SameSite=none
on your cookie
Instead of opening up the session to potential security risks, we may merge #107 and allow the nonce to be stored in its own encypted cookie?
I am using this gem together with Devise for 'Sign in with Apple' feature from my web. Everything work fine when redirect to Apple Sign in page. But after succesful sign in, a callback to my web and error happen ( in local enviroment ). I only can fix this error if add protect_from_forgery prepend: true, only: :apple to the top of OmniauthCallbacksController. But I dont think this is the right way to fix it.