貴方はOmniAuth::AuthHashを知っていますか？

Transcript

1. 1.

   وํ͸OmniAuth::AuthHash Λ஌͍ͬͯ·͔͢ʁ @teitei_tk

2. 2.

   ͓લ͸୭ͳΜͩɻ • ΠϯλʔωοτͰ͸@teitei_tkɺ teitei-tk౳Ͱੜଉ͍ͯ͠·͢ɻΞ Πίϯ͸ӈͰ΍͓ͬͯΓ·͢ɻ • ࠓͷͱ͜Ζɺfreeeͱ͍͏ձࣾʹ ॴଐ͍ͯ͠·͢ɻ • झຯ͸มͳTγϟπΛணΔ͜ͱɻ

   23:00͔Βχϡʔε൪૊ͷ࣮گΛ ͢Δ͜ͱͰ͢ɻ • কདྷ͸σΟετϐΞͳੈքͰ೴ ਷ʹͳͬͯ༨ੜΛա͍ͨ͝͠ɻ
3. 3.

   ࠓ೔࿩͢͜ͱ

4. 4.

   ͷલʹ OmniAuthʹ͍ͭͯ

5. 5.

   OmniAuthʹ͍ͭͯͷৼΓฦΓ • WebΞϓϦέʔγϣϯʹͯϓϩόΠμೝূͷखஈΛఏڙ͢ ΔϥΠϒϥϦ • ޠฐΛڪΕͣʹݴ͑͹ɺ͍ΘΏΔOAuthೝূ(Twitterɺ GithubɺGoogle, etc)ΛؾܰʹఏڙͰ͖ΔϥΠϒϥϦ • ࣗલͷOAuthೝূ΋࣮૷͢Δ͜ͱ͕Ͱ͖·͢ɻ

6. 6.

   OmniAuthͰGithubΛݕࡧ • Repository 3k • Code 1M • Commits 66k

   • https://github.com/ search?q=omniauth • ͍ΘΏΔσϑΝΫτε λϯμʔυ
7. 7.

   ຊ୊

8. 8.

   وํ͸OmniAuth::AuthHash Λ஌͍ͬͯ·͔͢ʁ

9. 9.

   OmniAuth::AuthHashʹ͍ͭͯ • ϓϩόΠμೝূޙ ʹؼͬͯ͘Δύϥ ϝʔλͷ஋ͷClass Ͱ͢ɻ • ͜ͷUMLਤͰ͸ Callback Phase͔

   ΒͷokͷฦΓ஋Ͱ ͢Ͷɻ
10. 10.

    ࣮ࡍʹݟͨ΄͏͕ૣ͍

11. 11.

    • rack middlewareɾRailsͷઆ໌ʹͳΔͱ޿͘ͳΔͷͰল͖ ·͢ɻ • ࠓճ͸Rails্ͰOmniAuthΛར༻͍ͯ͠ΔࣄΛલఏͰ͢ɻ

12. 12.

    lib/omniauth/strategy.rb • ࣮ࡍʹOmniAuthͷιʔείʔυΛಡΜͰ͍͘ɻ • lib/omniauth/strategy.rb • Githubʹhosting͞Ε͍ͯ·͢ɻ • 1. L176:ͷcall!͔ΒL367:callback_phase͕ݺ͹Ε·͢ɻ

    • env['omniauth.auth'] = auth_hash • ͜ͷauth_hash͕ࠓճͷओ໾Ͱ͢ɻ
13. 13.

    ControllerͰऔಘ͢Δ৔߹ • RailsଆͰ͸͜Μͳײ ͡ͰऔಘͰ͖·͢ɻ 1 class SessionController < ApplicationController 2

    def create 3 # do something 4 puts auth_hash 5 end 6 7 protected 8 9 def auth_hash 10 request.env['omniauth.auth'] 11 end 12 end
14. 14.

    ͜ͷ͋ͱΑ͋͘Δॲཧ • ActiveModelͱͯ͠ද ݱΛߦ͏ • ActiveRecordͰRecord Λ௥Ճ͢Δ • αϯϓϧͱͯ͠͸ӈͷ Α͏ͳίʔυͰ͠ΐ͏

    ͔ɻ 1 class Github::Schema 2 include ActiveModel::Model 3 include ActiveModel::Attributes 4 5 validates :provider, :uid, presence: true 6 7 attribute :provider, :string 8 attribute :uid, :string 9 10 # do something 11 end 12 13 github = Github::Schema.new(auth_hash)
15. 15.

    • ActiveModel::ForbiddenAttributesError

16. 16.

    • ?????????????????? • Α͘Θ͔ΒΜ

17. 17.

    Α͘Θ͔ΒΜɻ

18. 18.

    ιʔείʔυΛ௥͏ɻ

19. 19.

    OmniAuth::AuthHash • OmniAuth::AuthHash ͸ OmniAuth::KeyStore Λར༻͠ ͍ͯΔɻ • Hashieͱ͍͏module͕ఏڙ͍ͯ͠Δ Hashie::Mashͱ͍͏classΛܧঝ͍ͯ͠Δɻ

20. 20.

    Hashie::Mash • Object#respond_to_missing? Λܧঝ͍ͯ͠Δɻ • Line:251ʹ࣮૷͕͋Γ·͕͢ɺsuffix͕ͭ͘ίʔυͳΒ໰ ౴ແ༻ͰtrueΛฦ͍ͯ͠Δɻ

21. 21.

    ActiveModel::ForbbidenAttri butesErrorͱ͸ • Railsͷstrong parameterͱ͍͏࢓૊Έ

22. 22.

    ActiveModel::ForbbidenAttri buteError 1 module ForbiddenAttributesProtection # :nodoc: 2 private 3

    def sanitize_for_mass_assignment(attributes) 4 if attributes.respond_to?(:permitted?) 5 raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? 6 attributes.to_h 7 else 8 attributes 9 end 10 end 11 alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment 12 end 13 end
23. 23.

    צͷྑ͍ํ͸ࠓͷͰؾ ͔ͮ͘΋͠Εͳ͍ɻ

24. 24.

    #ຊ౰ʹ͋Δා͍ίʔυ

25. 25.

    ͜͜Ͱ΋͏Ұ౓ ActiveModel::ForbbidenAttributeError 1 module ForbiddenAttributesProtection # :nodoc: 2 private 3

    def sanitize_for_mass_assignment(attributes) 4 if attributes.respond_to?(:permitted?) 5 raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? 6 attributes.to_h 7 else 8 attributes 9 end 10 end 11 alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment 12 end 13 end
26. 26.

    • Hashie͸ Object#respond_to_missing? Λܧঝ͓ͯ͠Γɺಛఆ ͷsuffix͕͍ͭͨίʔυͳΒશͯtrue͕ม͑ΔΑ͏ʹͳ͍ͬͯ Δɻ • Omniauth::AuthHash(Hashie)Λར༻ͯ͠ActiveModelΛ࡞Δ ͱɺsanitize_for_mass_assignmentʹͯpermit͞Εͨparameter ͔Λrespond_to?(:permitted?)Ͱݟ͍ͯΔ

    • if attributes.respond_to?(:permitted?)ͷॲཧ͕௨ͬͯ͠· ͏ɻ(͜͜Ͱ͍͏attributesͱ͸Omniauth::AuthHash) • ݁Ռͱͯ͠ɻActiveModel::ForbbidenAttributeError͕ൃੜ͢Δɻ
27. 27.

    ͳͥHashieΛར༻͍ͯ͠Δͷ ͔ɾɾɾʁ • Θ͔ΒΜɻ • ා͍

28. 28.

    ·ͱΊ • OmniAuth::AuthHash͸ͨͩͷHashClassͰ͸ͳ͍ɻ • Object#respond_to_missing? Λܧঝͯ͠ಠࣗʹॲཧΛ࣮૷͠ ͍ͯͨΓɺmethod໊͕suffixͳΒtrueΛฦ͢ͳͲɺRails͕ఏڙ ͍ͯ͠Δ Active* ܥͷModuleͱͷ૬ੑ͕ѱ͍ɻ

    • ૬ੑͱ͍͏͔ߦّ͕ѱ͍ɾɾɾʁ • ͦͷ··ར༻͢Δͷ͸ෆ۩߹ͷԹচʹͳΔͷͰɺ࠶ؼॲཧΛߦͬ ͯϓϨʔϯͳHashClassԽ͢ΔͳͲͷରԠΛ͓͢͢Ί͠·͢ɻ
29. 29.

    None