貴方はOmniAuth::AuthHashを知っていますか?

F3ba76698a3a2ea827abd7b73d74a5b7?s=47 teitei_tk
August 23, 2018

 貴方はOmniAuth::AuthHashを知っていますか?

F3ba76698a3a2ea827abd7b73d74a5b7?s=128

teitei_tk

August 23, 2018
Tweet

Transcript

  1. وํ͸OmniAuth::AuthHash Λ஌͍ͬͯ·͔͢ʁ @teitei_tk

  2. ͓લ͸୭ͳΜͩɻ • ΠϯλʔωοτͰ͸@teitei_tkɺ teitei-tk౳Ͱੜଉ͍ͯ͠·͢ɻΞ Πίϯ͸ӈͰ΍͓ͬͯΓ·͢ɻ • ࠓͷͱ͜Ζɺfreeeͱ͍͏ձࣾʹ ॴଐ͍ͯ͠·͢ɻ • झຯ͸มͳTγϟπΛணΔ͜ͱɻ

    23:00͔Βχϡʔε൪૊ͷ࣮گΛ ͢Δ͜ͱͰ͢ɻ • কདྷ͸σΟετϐΞͳੈքͰ೴ ਷ʹͳͬͯ༨ੜΛա͍ͨ͝͠ɻ
  3. ࠓ೔࿩͢͜ͱ

  4. ͷલʹ OmniAuthʹ͍ͭͯ

  5. OmniAuthʹ͍ͭͯͷৼΓฦΓ • WebΞϓϦέʔγϣϯʹͯϓϩόΠμೝূͷखஈΛఏڙ͢ ΔϥΠϒϥϦ • ޠฐΛڪΕͣʹݴ͑͹ɺ͍ΘΏΔOAuthೝূ(Twitterɺ GithubɺGoogle, etc)ΛؾܰʹఏڙͰ͖ΔϥΠϒϥϦ • ࣗલͷOAuthೝূ΋࣮૷͢Δ͜ͱ͕Ͱ͖·͢ɻ

  6. OmniAuthͰGithubΛݕࡧ • Repository 3k • Code 1M • Commits 66k

    • https://github.com/ search?q=omniauth • ͍ΘΏΔσϑΝΫτε λϯμʔυ
  7. ຊ୊

  8. وํ͸OmniAuth::AuthHash Λ஌͍ͬͯ·͔͢ʁ

  9. OmniAuth::AuthHashʹ͍ͭͯ • ϓϩόΠμೝূޙ ʹؼͬͯ͘Δύϥ ϝʔλͷ஋ͷClass Ͱ͢ɻ • ͜ͷUMLਤͰ͸ Callback Phase͔

    ΒͷokͷฦΓ஋Ͱ ͢Ͷɻ
  10. ࣮ࡍʹݟͨ΄͏͕ૣ͍

  11. • rack middlewareɾRailsͷઆ໌ʹͳΔͱ޿͘ͳΔͷͰল͖ ·͢ɻ • ࠓճ͸Rails্ͰOmniAuthΛར༻͍ͯ͠ΔࣄΛલఏͰ͢ɻ

  12. lib/omniauth/strategy.rb • ࣮ࡍʹOmniAuthͷιʔείʔυΛಡΜͰ͍͘ɻ • lib/omniauth/strategy.rb • Githubʹhosting͞Ε͍ͯ·͢ɻ • 1. L176:ͷcall!͔ΒL367:callback_phase͕ݺ͹Ε·͢ɻ

    • env['omniauth.auth'] = auth_hash • ͜ͷauth_hash͕ࠓճͷओ໾Ͱ͢ɻ
  13. ControllerͰऔಘ͢Δ৔߹ • RailsଆͰ͸͜Μͳײ ͡ͰऔಘͰ͖·͢ɻ 1 class SessionController < ApplicationController 2

    def create 3 # do something 4 puts auth_hash 5 end 6 7 protected 8 9 def auth_hash 10 request.env['omniauth.auth'] 11 end 12 end
  14. ͜ͷ͋ͱΑ͋͘Δॲཧ • ActiveModelͱͯ͠ද ݱΛߦ͏ • ActiveRecordͰRecord Λ௥Ճ͢Δ • αϯϓϧͱͯ͠͸ӈͷ Α͏ͳίʔυͰ͠ΐ͏

    ͔ɻ 1 class Github::Schema 2 include ActiveModel::Model 3 include ActiveModel::Attributes 4 5 validates :provider, :uid, presence: true 6 7 attribute :provider, :string 8 attribute :uid, :string 9 10 # do something 11 end 12 13 github = Github::Schema.new(auth_hash)
  15. • ActiveModel::ForbiddenAttributesError

  16. • ?????????????????? • Α͘Θ͔ΒΜ

  17. Α͘Θ͔ΒΜɻ

  18. ιʔείʔυΛ௥͏ɻ

  19. OmniAuth::AuthHash • OmniAuth::AuthHash ͸ OmniAuth::KeyStore Λར༻͠ ͍ͯΔɻ • Hashieͱ͍͏module͕ఏڙ͍ͯ͠Δ Hashie::Mashͱ͍͏classΛܧঝ͍ͯ͠Δɻ

  20. Hashie::Mash • Object#respond_to_missing? Λܧঝ͍ͯ͠Δɻ • Line:251ʹ࣮૷͕͋Γ·͕͢ɺsuffix͕ͭ͘ίʔυͳΒ໰ ౴ແ༻ͰtrueΛฦ͍ͯ͠Δɻ

  21. ActiveModel::ForbbidenAttri butesErrorͱ͸ • Railsͷstrong parameterͱ͍͏࢓૊Έ

  22. ActiveModel::ForbbidenAttri buteError 1 module ForbiddenAttributesProtection # :nodoc: 2 private 3

    def sanitize_for_mass_assignment(attributes) 4 if attributes.respond_to?(:permitted?) 5 raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? 6 attributes.to_h 7 else 8 attributes 9 end 10 end 11 alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment 12 end 13 end
  23. צͷྑ͍ํ͸ࠓͷͰؾ ͔ͮ͘΋͠Εͳ͍ɻ

  24. #ຊ౰ʹ͋Δා͍ίʔυ

  25. ͜͜Ͱ΋͏Ұ౓ ActiveModel::ForbbidenAttributeError 1 module ForbiddenAttributesProtection # :nodoc: 2 private 3

    def sanitize_for_mass_assignment(attributes) 4 if attributes.respond_to?(:permitted?) 5 raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? 6 attributes.to_h 7 else 8 attributes 9 end 10 end 11 alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment 12 end 13 end
  26. • Hashie͸ Object#respond_to_missing? Λܧঝ͓ͯ͠Γɺಛఆ ͷsuffix͕͍ͭͨίʔυͳΒશͯtrue͕ม͑ΔΑ͏ʹͳ͍ͬͯ Δɻ • Omniauth::AuthHash(Hashie)Λར༻ͯ͠ActiveModelΛ࡞Δ ͱɺsanitize_for_mass_assignmentʹͯpermit͞Εͨparameter ͔Λrespond_to?(:permitted?)Ͱݟ͍ͯΔ

    • if attributes.respond_to?(:permitted?)ͷॲཧ͕௨ͬͯ͠· ͏ɻ(͜͜Ͱ͍͏attributesͱ͸Omniauth::AuthHash) • ݁Ռͱͯ͠ɻActiveModel::ForbbidenAttributeError͕ൃੜ͢Δɻ
  27. ͳͥHashieΛར༻͍ͯ͠Δͷ ͔ɾɾɾʁ • Θ͔ΒΜɻ • ා͍

  28. ·ͱΊ • OmniAuth::AuthHash͸ͨͩͷHashClassͰ͸ͳ͍ɻ • Object#respond_to_missing? Λܧঝͯ͠ಠࣗʹॲཧΛ࣮૷͠ ͍ͯͨΓɺmethod໊͕suffixͳΒtrueΛฦ͢ͳͲɺRails͕ఏڙ ͍ͯ͠Δ Active* ܥͷModuleͱͷ૬ੑ͕ѱ͍ɻ

    • ૬ੑͱ͍͏͔ߦّ͕ѱ͍ɾɾɾʁ • ͦͷ··ར༻͢Δͷ͸ෆ۩߹ͷԹচʹͳΔͷͰɺ࠶ؼॲཧΛߦͬ ͯϓϨʔϯͳHashClassԽ͢ΔͳͲͷରԠΛ͓͢͢Ί͠·͢ɻ
  29. None