Merge changes into official CoinGecko repo #1
+15
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
skip verify_nonce
ervinchai
commented
Jul 30, 2024
| @@ -105,7 +119,7 @@ def verify_claims!(id_token) | |||
| verify_aud!(id_token) | |||
| verify_iat!(id_token) | |||
| verify_exp!(id_token) | |||
| verify_nonce!(id_token) if id_token[:nonce_supported] | |||
| # verify_nonce!(id_token) if id_token[:nonce_supported] | |||
There was a problem hiding this comment.
We need to figure out why this is done. We really shouldn't be disabling the nonce verification, as it would allow for replay attacks.
ervinchai
commented
Jul 30, 2024
| @@ -63,6 +63,20 @@ def callback_url | |||
| options[:redirect_uri] || (full_host + callback_path) | |||
| end | |||
|
|
|||
| def callback_phase | |||
There was a problem hiding this comment.
Why do we need this callback_phase? What does it actually do? 🤔
ervinchai
commented
Jul 30, 2024
| @@ -63,6 +63,20 @@ def callback_url | |||
| options[:redirect_uri] || (full_host + callback_path) | |||
| end | |||
|
|
|||
| def callback_phase | |||
| if request.request_method.downcase.to_sym == :post | |||
There was a problem hiding this comment.
ervinchai
commented
Jul 30, 2024
| url += "&state=#{CGI::escape(state)}" | ||
| url += "&user=#{CGI::escape(request.params['user'])}" if request.params['user'] | ||
| end | ||
| session.options[:drop] = true # Do not set a session cookie on this response |
ervinchai
commented
Jul 30, 2024
Comment on lines
+68
to
+73
| url = "#{callback_url}" | ||
| if (code = request.params['code']) && (state = request.params['state']) | ||
| url += "?code=#{CGI::escape(code)}" | ||
| url += "&state=#{CGI::escape(state)}" | ||
| url += "&user=#{CGI::escape(request.params['user'])}" if request.params['user'] | ||
| end |
There was a problem hiding this comment.
Why are we attaching these params on the query params of the callback URI? 🤔
|
We'll need answers to the above questions, but completing the migration first. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.