[openstreetmap/openstreetmap-website] Social sign-in: avoid re-authorization in `users_controller#create` (PR #4847)
Milan Cvetkovic
notifications at github.com
Mon May 27 18:45:05 UTC 2024
It does not add any additional guards against malicious users:
Malicious user may attempt to invoke `POST /users/new` with bogus values for `auth_provider` and `auth_uid` resulting with a new account to which user would have a way to login, other than sending a password reset request.
In some cases, re-authorization would introduce additional "Please login to your social account", or "Are you sure you want to be logged in" popup triggered by identity provider.
This PR removes the re-authorization request from `POST /users/new` in authorization flow.
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/4847
-- Commit Summary --
* Social sign-in: avoid re-authorization in `users_controller#create`
-- File Changes --
M app/controllers/users_controller.rb (13)
M test/integration/user_creation_test.rb (189)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/4847.patch
https://github.com/openstreetmap/openstreetmap-website/pull/4847.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4847
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/4847 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240527/034b4fc5/attachment.htm>
More information about the rails-dev
mailing list