Module: Controllers::DeviseReturnable
- Extended by:
- ActiveSupport::Concern
- Included in:
- Auth::AuthenticationsController, Auth::CustomerPasswordsController, Auth::CustomerSessionsController, Auth::EmployeeSessionsController, MyAccountsController
- Defined in:
- app/concerns/controllers/devise_returnable.rb
Constant Summary collapse
- ALLOWED_REDIRECT_HOSTS =
List of allowed hosts for redirects (our domains)
%w[ warmlyyours.com warmlyyours.ca warmlyyours.me ].freeze
Instance Method Summary collapse
- #check_for_devise_return_path ⇒ Object
- #devise_return_path_from_omniauth_hash ⇒ Object
-
#safe_referer ⇒ Object
Returns a safe internal referer or nil if the referer is external Use this instead of request.referer to prevent open redirect vulnerabilities.
Instance Method Details
#check_for_devise_return_path ⇒ Object
13 14 15 16 17 18 19 20 21 22 23 |
# File 'app/concerns/controllers/devise_returnable.rb', line 13 def check_for_devise_return_path @devise_return_path ||= Addressable::URI.unescape(params[:devise_return_path]) unless params[:devise_return_path].blank? @devise_return_path ||= devise_return_path_from_omniauth_hash # this is on return from omniauth flow logger.debug "Authenticable#check_for_devise_return_path: request.env['omniauth.params']: #{request.env['omniauth.params'].inspect}" logger.debug "Authenticable#check_for_devise_return_path: @devise_return_path: #{@devise_return_path}" if @devise_return_path.present? @devise_return_path = view_context.sanitize(@devise_return_path.to_s) # Clear external URLs to prevent open redirect vulnerabilities @devise_return_path = nil unless internal_redirect_path?(@devise_return_path) end end |
#devise_return_path_from_omniauth_hash ⇒ Object
25 26 27 28 29 30 31 |
# File 'app/concerns/controllers/devise_returnable.rb', line 25 def devise_return_path_from_omniauth_hash logger.debug "Authenticable#devise_return_path_from_omniauth_hash: request.env['omniauth.params']: #{request.env['omniauth.params'].inspect}" res = nil res = request.env['omniauth.params']['devise_return_path'] if request.env['omniauth.params'].present? logger.debug "Authenticable#devise_return_path_from_omniauth_hash: res: #{res}" res end |
#safe_referer ⇒ Object
Returns a safe internal referer or nil if the referer is external
Use this instead of request.referer to prevent open redirect vulnerabilities
35 36 37 38 39 40 |
# File 'app/concerns/controllers/devise_returnable.rb', line 35 def safe_referer return nil if request.referer.blank? return request.referer if internal_redirect_path?(request.referer) nil end |