radis_sessionへの対応

sion908 · sion908 · commit 4552c39b1c55 · 2024-10-27T22:40:14.000+09:00
diff --git a/lib/omniauth/strategies/cityos_dcp_login.rb b/lib/omniauth/strategies/cityos_dcp_login.rb
@@ -9,11 +9,13 @@ class AgreementRequiredError < StandardError; end
         option state: SecureRandom.hex(24)
         option :pkce, true
 
+        SRF_GUARD_COOKIE_NAME = 'xsrf_guard'.freeze
+
         uid { raw_info["user_id"] }
 
         info do
             {
-                nickname: raw_info["nickname"],
+                user_id: raw_info['user_id'],
                 email: raw_info["user_email"],
                 name: raw_info["nickname"]
             }
@@ -28,9 +30,38 @@ def raw_info
         end
 
         def callback_phase
-            super
+
+            if cookie_store?
+                super
+            end
+
+            error = request.params["error_reason"] || request.params["error"]
+
+            # エラーチェック
+            if error
+                fail!(error, CallbackError.new(request.params["error"], request.params["error_description"] || request.params["error_reason"], request.params["error_uri"]))
+            elsif request.params['code']
+                super
+            elsif request.cookies[SRF_GUARD_COOKIE_NAME] && session[:csrf_guard]
+
+                # オプトインフローでのCSRFチェック
+                handle_opt_in_flow_with_csrf_check
+                OmniAuth::Strategy.instance_method(:callback_phase).bind(self).call
+            else
+                # 期待されるパラメータがない場合のエラー処理
+                fail!(:invalid_request, CallbackError.new(:invalid_request, "Invalid request in callback"))
+            end
         rescue AgreementRequiredError => e
-            return redirect(e.message)
+            if cookie_store?
+                return redirect(e.message)
+            end
+            return redirect_with_csrf_token(e.message)
+        rescue ::OAuth2::Error, CallbackError => e
+            fail!(:invalid_credentials, e)
+        rescue ::Timeout::Error, ::Errno::ETIMEDOUT => e
+            fail!(:timeout, e)
+        rescue ::SocketError => e
+            fail!(:failed_to_connect, e)
         end
 
         def setup_phase
@@ -83,8 +114,15 @@ def user_info_opt
                                                 }
                                              }.to_json
                                             ).parsed
+            session["access_token"] = access_token.token
             if @id_token_payload.agreeFlg == "0" then
-                agreement_url = "https://#{options.optin_url}?serviceId=#{options.service_id}&redirectUrl=#{CGI.escape(agreement_callback_url)}"
+                redirect_url = nil
+                if cookie_store?
+                    redirect_url = agreement_callback_url
+                else
+                    redirect_url = callback_url
+                end
+                agreement_url = "https://#{options.optin_url}?serviceId=#{options.service_id}&redirectUrl=#{CGI.escape(redirect_url)}"
                 raise AgreementRequiredError, agreement_url
             else
                 Rails.logger.info("token:#{@id_token_payload.inspect}")
@@ -106,6 +144,111 @@ def site_url
             return parts[0] + '.com' if parts.size > 1
             url
         end
+
+        def handle_opt_in_flow_with_csrf_check
+            csrf_token = request.cookies[SRF_GUARD_COOKIE_NAME]
+
+            if csrf_token.nil? || csrf_token != session[:csrf_guard]
+                fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected"))
+            else
+                # CSRFトークンが一致した場合、セッションとクッキーからCSRFトークンを削除
+                session.delete(:csrf_guard)
+                session.delete("omniauth.pkce.verifier")
+                request.cookies.delete(SRF_GUARD_COOKIE_NAME)
+                # オプトイン承認後に必要な処理を行う
+                request.params['state'] = csrf_token
+                session['omniauth.state'] = csrf_token
+                Rails.logger.debug "Current sessions: #{session.to_hash.inspect}"
+                self.access_token = build_access_token_class session["access_token"]
+            end
+        end
+
+        def redirect_with_csrf_token(uri, options = {})
+            r = Rack::Response.new
+
+            # URIからパスを抽出
+            begin
+                parsed_uri = URI(uri)
+                path = parsed_uri.path.empty? ? '/' : parsed_uri.path
+                domain = extract_domain(parsed_uri.host)
+              rescue URI::InvalidURIError
+                # 無効なURIの場合のエラー処理
+                Rails.logger.error "Invalid URI provided: #{uri}"
+                raise ArgumentError, "Invalid URI provided: #{uri}"
+              end
+
+
+            csrf_token = SecureRandom.urlsafe_base64(32)
+            session[:csrf_guard] = csrf_token
+
+            r.set_cookie(SRF_GUARD_COOKIE_NAME, {
+                value: csrf_token,
+                expires: 5.minutes.from_now,
+                secure: true,
+                http_only: true,
+                same_site: :none  # クロスサイトリクエストを許可する場合
+            })
+
+            Rails.logger.debug "Cookies after setting:"
+            Rails.logger.debug r.headers["Set-Cookie"]
+
+            if options[:iframe]
+                r.write("<script type='text/javascript' charset='utf-8'>top.location.href = '#{uri.to_json}';</script>")
+            else
+                # r.write("Redirecting to #{uri}...")
+                r.redirect(uri)
+            end
+
+            r.finish
+        end
+
+        def extract_domain(host)
+            return nil if host.nil?
+
+            parts = host.split('.')
+            return host if parts.length <= 2
+
+            # サブドメインを除去し、メインドメインとTLDを返す
+            parts.slice(-2, 2).join('.')
+        end
+
+        def build_access_token_class(existing_token)
+            ::OAuth2::AccessToken.new(
+            client,
+            existing_token
+          )
+        end
+
+        def sanitize_nickname(nickname)
+            # 正規表現パターン: 文字、数字、'-' および '_' のみを許可
+            valid_pattern = /^[a-zA-Z0-9\-_]+$/
+
+            if nickname.present? && nickname.match?(valid_pattern)
+              nickname
+            else
+              # ランダムな8文字の英数字を生成
+              SecureRandom.alphanumeric(8)
+            end
+        end
+
+        def detect_session_store
+            return false unless defined?(Rails)
+            return false unless Rails.application
+            
+            begin
+              store = Rails.application.config.session_store
+              return store if store
+              false
+            rescue
+              false
+            end
+        end
+          
+        def cookie_store?
+            store = detect_session_store
+            return true unless store  # セッションが検出できない場合はcookie扱い
+            store.to_s.include?('CookieStore')
+        end
     end
     end
 end
