Module: Controllers::DeviseReturnable

Extended by:

ActiveSupport::Concern

Included in:

Auth::AuthenticationsController, Auth::CustomerPasswordsController, Auth::CustomerSessionsController, Auth::EmployeeSessionsController, MyAccountsController

Defined in:

app/concerns/controllers/devise_returnable.rb

Overview

ActiveSupport::Concern mixin: devise returnable.

Constant Summary

ALLOWED_REDIRECT_HOSTS =

List of allowed hosts for redirects (our domains)

%w[
  warmlyyours.com
  warmlyyours.ca
  warmlyyours.me
].freeze

Instance Method Summary

• #check_for_devise_return_path ⇒ Object
• #devise_return_path_from_omniauth_hash ⇒ Object
• #safe_referer ⇒ Object

  Returns a safe internal referer or nil if the referer is external Use this instead of request.referer to prevent open redirect vulnerabilities.

Instance Method Details

#check_for_devise_return_path ⇒ Object

# File 'app/concerns/controllers/devise_returnable.rb', line 15

def check_for_devise_return_path
  @devise_return_path ||= Addressable::URI.unescape(params[:devise_return_path]) if params[:devise_return_path].present?
  @devise_return_path ||= devise_return_path_from_omniauth_hash # this is on return from omniauth flow
  logger.debug "Authenticable#check_for_devise_return_path: request.env['omniauth.params']: #{request.env['omniauth.params'].inspect}"
  logger.debug "Authenticable#check_for_devise_return_path: @devise_return_path: #{@devise_return_path}"
  return if @devise_return_path.blank?

  @devise_return_path = view_context.sanitize(@devise_return_path.to_s)
  # Clear external URLs to prevent open redirect vulnerabilities
  @devise_return_path = nil unless internal_redirect_path?(@devise_return_path)
end

#devise_return_path_from_omniauth_hash ⇒ Object

# File 'app/concerns/controllers/devise_returnable.rb', line 27

def devise_return_path_from_omniauth_hash
  logger.debug "Authenticable#devise_return_path_from_omniauth_hash: request.env['omniauth.params']: #{request.env['omniauth.params'].inspect}"
  res = nil
  res = request.env['omniauth.params']['devise_return_path'] if request.env['omniauth.params'].present?
  logger.debug "Authenticable#devise_return_path_from_omniauth_hash: res: #{res}"
  res
end

#safe_referer ⇒ Object

Returns a safe internal referer or nil if the referer is external
Use this instead of request.referer to prevent open redirect vulnerabilities

# File 'app/concerns/controllers/devise_returnable.rb', line 37

def safe_referer
  return nil if request.referer.blank?
  return request.referer if internal_redirect_path?(request.referer)

  nil
end