Closed khier996 closed 2 years ago
zquestz
commented
2 years ago You should always use POST if you can. That would be my suggestion.
GET requests can be simulated by many things, and are easy to trigger from the user without their knowledge.
Whenever possible, POST is the way it should be done.
khier996
commented
2 years ago @zquestz thanks for your suggestion. If it was our own site where we add the login buttons, using POST would be fine. But we build a social login plugin for other websites to use. So, there is no way to put csrf token there. For now we make an intermediary GET request to our app which opens a page with a hidden form and JS code that submits that form automatically. What would you recommend to do in our case?
zquestz
commented
2 years ago You just need to make sure that GET request can't be replayed. That is all that important.
Currently omniauth gem discourages from using GET requests. It is related to a security vulnerability. At the same time, omniauth-google-oauth2 that depends on Omniauth seems to still work with GET requests and even has this line
in the usage guide. I do not understand much about security in general, but I did read this entire monster thread about that specific vulnerability. From what I understand, the vulnerability only happens if the app allows multiple google accounts to be attached to one app account. In the app I am currently working on, this is not the case, and I suspect it's not the case for many other apps. In our app, the only user identification is email. So, different google accounts cannot be attached to one app account. If one user is logged in, and then prompted to go to GET
/auth/googlewith another google account, they will be logged in as a different user. I did find similar comments in the omniauth monster thread, like this, this, and this. But none of those comments/questions were properly addressed. So, I thought, maybe I can find better luck in this repo.My question is, for our use case, can we still use GET requests safely?
Also, it would be nice if this discrepancy in documentation between omniauth and omniauth-google-oauth2 gems is addressed. Security issues are worth to be explained more carefully.