Slide 1
Slide 1 text
OmniauthͰϋϚͬͨ
2021/03/24 Fukuoka.rb 200ճLTେձ
@treby006
Slide 2
Slide 2 text
About Me
• treby (ͱΕͼʔ)
• @treby006
• Shinjuku.rbͷੈ
Slide 3
Slide 3 text
About Me
• ࣮(?)Ԭग़
• Ԭࢢ౦۠/۠ɺେໂాࢢʹ༝ԑ͕͋Γ·͢
Slide 4
Slide 4 text
About Me
• ಠཱܥϕϯνϟʔΩϟϐλϧۈ
• ελʔτΞοϓ͖͕ߴͯ͡ग़ࢿଆʹ
• ҎલBtoCBtoBͷελʔτΞοϓͰRailsΤϯδχΞ
• Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ
• ITΛऔΓѻ͏͚ͲɺۀͰίʔυॻ͔ͳ͍
Slide 5
Slide 5 text
About Me
• ಠཱܥϕϯνϟʔΩϟϐλϧۈ
• ελʔτΞοϓ͖͕ߴͯ͡ग़ࢿଆʹ
• ҎલBtoCBtoBͷελʔτΞοϓͰRailsΤϯδχΞ
• Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ
• ITΛऔΓѻ͏͚ͲɺۀͰίʔυॻ͔ͳ͍ => ͚Ͳॻ͖͍ͨ
Slide 6
Slide 6 text
ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋ΔͷΈ
• ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰͳ͍͔
• ٕज़ྗ͕མͪͯ͠·͏ͷͰͳ͍͔
• ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰͳ͍͔
• ͍͔ͭ͠ΩϟϦΞ͕த్ʹͳͬͯ͠·͏ͷͰͳ͍͔
• ݱײ͕ͳ͘ͳͬͯ͠·͏ͷͰͳ͍͔
Slide 7
Slide 7 text
ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋ΔͷΈ
• ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰͳ͍͔
• ٕज़ྗ͕མͪͯ͠·͏ͷͰͳ͍͔
• ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰͳ͍͔
• ͍͔ͭ͠ΩϟϦΞ͕த్ʹͳͬͯ͠·͏ͷͰͳ͍͔
• ݱײ͕ͳ͘ͳͬͯ͠·͏ͷͰͳ͍͔
Slide 8
Slide 8 text
ݱײ͕ͳ͘ͳΔͱԿ͕ྑ͘ͳ͍ͷ͔
• ۀ্ͷೳྗ͕Լ: ࢿݕ౼ͷࡍͷ։ൃྗݟཱͯ(σϡʔσϦδΣϯε)
• ར͖͕Ͱ͖ͳ͘ͳ͍ͬͯ͘ͷͰʁ
• ઐՈͱͯ͠ίϝϯτ͢Δ༰্͕Γͯ͠͠·͏ͷͰʁ
• ͋Δࣄྫʹ৮Εͨ࣌ʹʮࣗͷݴ༿ʯͰͤͳ͍Ͳ͔͠͞
• ͰɺͲ͏͢Δʁ
Slide 9
Slide 9 text
ͦ͏ͩɺ։ൃ͠Α͏
Slide 10
Slide 10 text
αΠυϓϩδΣΫτɺ͡Ί·ͨ͠
• ਓͱझຯϓϩμΫτ࡞Γ / ։ൃΛঠ͢ΔཱͪҐஔ
• LINEͷϛχΞϓϦ(ࠓεςϧε) / ۙʑ͓൸࿐Ͱ͖Δͱྑ͍ͳ
• جຊతʹθϩ͔Βͷ্ཱͪ͛(1݄ʙ)
• ։ൃج൫࡞ΓνʔϜϏϧσΟϯάͰָ͖͍ͯ͠
Slide 11
Slide 11 text
γεςϜߏਤ
Slide 12
Slide 12 text
ٕज़ελοΫ
• ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ༻)
• Next.js on Vercel
• αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku
• omniauth
• administrate
• ridgepole
• crono_trigger
Slide 13
Slide 13 text
ٕज़ελοΫ
• ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ༻)
• Next.js on Vercel
• αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku
• omniauth
• administrate
• ridgepole
• crono_trigger
Slide 14
Slide 14 text
omniauth
• ϚϧνϓϩόΠμͷೝূΛఏڙ͢Δgem
• ʮSNSϩάΠϯʯΛ࣮͢Δͷʹྑ͘ΘΕΔΠϝʔδ
• ࣮ʹར༻͍ͨ͠ϓϩόΠμ͚ͷϓϥάΠϯ͕ඞཁ
• omniauth-twitteromniauth-githubͳͲ
• ཧը໘ͷ؆қϩάΠϯػೳͷͨΊʹ࠾༻
• LINEͷϛχΞϓϦͳͷͰLINEͱੑ͕ߴ͍
• omniauth-line ͱҰॹʹಋೖͯ͠LINEϩάΠϯ࣮ͩʂ
Slide 15
Slide 15 text
ಋೖ؆୯
• omniauth gemͱ͍͍ͨϓϩόΠμͷgemΛbundleͯ͠
Gemfile
gem 'omniauth'
gem 'omniauth-line'
Slide 16
Slide 16 text
ίʔϧόοΫΛड͚͚ΔΑ͏ʹͯ͠
• SessionsController ͱϧʔςΟϯάͷ४උ
config/routes.rb
get '/auth/:provider/callback', to: 'sessions#callback'
post '/auth/:provider/callback', to: 'sessions#callback'
get '/logout', to: 'sessions#destroy', as: :logout
Slide 17
Slide 17 text
ϩάΠϯඞཁͳActionʹϦμΠϨΫτΛઃఆ
AdminController
before_action :authenticate_admin
def authenticate_admin
if current_admin_challenger.nil?
redirect_to '/admin/auth/line'
end
end
Slide 18
Slide 18 text
Callback URLͷϗϫΠτϦετొ(LINE)
Slide 19
Slide 19 text
Α࣮͠ߦͩ
Slide 20
Slide 20 text
͏·͍͔͘ͳ͍orz
Slide 21
Slide 21 text
ఆ֎ͷΤϥʔͩͬͨͷͰ
• ϧʔςΟϯά͕ؒҧ͍ͬͯΔͷͰͳ͍͔
• typoͳ͍͔
• omniauth-line ͕ϝϯς͞Ε͍ͯͳ͍ͷͰ
• omniauth ͷgem·ͰΈʹ͍ͬͨ
Slide 22
Slide 22 text
ḷΓண͍ͨͷ
• omniauthͷ༷มߋ
• 2019ࠒͷมߋͰͨ͠ɻࣗͷແ͞Α……
• എܠ: ੬ऑੑCVE-2015-9284 ରԠΒ͍͠
• CSRF͞ΕΔϦεΫ͕͋ΔΑ
• GETͰ͍͚Δ͔Βҙਤ͠ͳ͍ϩάΠϯͤ͞ΒΕΔΑͶ(ͱ͍͏ཧղ)
• ੬ऑੑ͔ͩΒରԠͨ͠ํ͕ྑ͍
• ͪΐͬͱͤྑ͍ͷͰͳ͘ɺຯʹରԠ͕໘
Slide 23
Slide 23 text
ྑ͘ͳ͍͚ͲɺΦϓγϣϯΛແޮԽͯ͠ରԠ
• ੬ऑੑΔΘ͚Ͱ͕͢ɺҰ୴ྑ͍͔ͳɺͱ͍͏அ
• ͜ΕͰಈ͖·ͨ͠
config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
configure do |config|
config.allowed_request_methods = %i[get post]
config.silence_get_warning = true
end
:
end
Slide 24
Slide 24 text
ͪΌΜͱରԠ͢ΔͳΒ
• gemͬΆ͍ͷଘࡏ͍ͯ͠Δ: ೖΕΕྑ͍ͱ͍͏Θ͚Ͱͳ͍?
• https://github.com/cookpad/omniauth-railscsrfprotection
• ҰճϩάΠϯϘλϯ͕͋Δϖʔδʹඈ͢ײ͡
• ϦμΠϨΫτͰPOSTͤ͞Δͷͬͯ͘͠ͳ͍ʁ
• ৄ͘͠ͳ͍ͷͰڭ͍͑ͯͩ͘͞><
Slide 25
Slide 25 text
·ͱΊ
• αΠυϓϩδΣΫτ͍͍ͧ
• ݱײɺഓ͍ͬͯͧ͘ʂ
• gemͷߋ৽ʹશવ͍͍͚ͭͯͯͳͯ͘ϫϩλ
• खΛಈ͔ͯٔ͠ΕΔ͜ͱେࣄ
Slide 26
Slide 26 text
એ
• ϙουΩϟετΛ͍ͬͯΔͷͰྑ͔ͬͨΒௌ͍ͯͶ
• ͯ͘͠Ε͍͍ͯͷΑ
Slide 27
Slide 27 text
Happy Hacking!!