Remove 'omniauth-rails_csrf_protection' (!98378) · Merge requests · GitLab.org / GitLab

Jessie Young requested to merge jy-csrf-gem into master Sep 19, 2022

What does this MR do and why?

Use Gitlab::RequestForgeryProtection instead
Previously, this gem was added because there was an OAuth error being raised without it.
Turns out this is because Gitlab::RequestForgeryProtection was being called before_request_phase but needed to be called in request_validation_phase (was being ignored as a result)
See this related PR: https://github.com/cookpad/omniauth-rails_csrf_protection/pull/9
Issue: #374011 (closed)

Screenshots or screen recordings

Before (CSRF gem removed but no change to omniauth initializer):

Screen_Recording_2022-09-19_at_1.52.18_PM

After:

Screen_Recording_2022-09-19_at_1.50.22_PM

How to set up and validate locally

Set up OAuth locally and confirm that the login flow works. I tested Google OAuth: https://docs.gitlab.com/ee/integration/google.html

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 19, 2022 by Jessie Young

Remove 'omniauth-rails_csrf_protection'

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports