IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Allow admins to opt-in to seamless redirects on /auth/* (#31235)

Browse Source 
By default, when multiple login providers are enabled, Discourse
requires user interaction before triggering an external auth flow. This
is defense-in-depth against "Login CSRF" attacks.

This commit introduces a setting to control this behavior, so that it
can be disabled when admins fully trust the downstream systems, and need
an interaction-free login flow on a site with multiple login providers.

Default behavior remains unchanged.
This commit is contained in:
David Taylor
2025-02-07 11:43:39 +00:00
committed by GitHub
parent 117027a40a
commit 6b6b31a97f
4 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
spec/requests/omniauth_callbacks_controller_spec.rb
View File

@@ -159,6 +159,13 @@ RSpec.describe Users::OmniauthCallbacksController do
get "/auth/google_oauth2"
expect(response.status).to eq(302)
end
it "should not be CSRF protected if the setting has been disabled" do
SiteSetting.auth_require_interaction = false
SiteSetting.enable_local_logins = true
get "/auth/google_oauth2"
expect(response.status).to eq(302)
end
end
end