Closed pirj closed 3 years ago
Replacing omniauth-identity with hand-made authentication was a matter of half an hour and few lines of code. Now i don't have any autogenerated forms, GET callbacks with plaintext password, extra dependencies.
Consider yanking the gem as completely unusable.
The requests are made upstream by the core omniauth gem. I think you may be referring to the open CVE on omniauth, which requires app-level modifications to resolve.
In any case, this gem doesn't make requests, omniauth does. Closing.
/auth/identity/callback is called using HTTP GET and this has a major downside, since the path is saved in browser history with cleartext password and auth_key.