貴方はOmniAuth::AuthHashを知っていますか？

Transcript

1. وํ͸OmniAuth::AuthHash Λ஌͍ͬͯ·͔͢ʁ @teitei_tk

2. ͓લ͸୭ͳΜͩɻ • ΠϯλʔωοτͰ͸@teitei_tkɺ teitei-tk౳Ͱੜଉ͍ͯ͠·͢ɻΞ Πίϯ͸ӈͰ΍͓ͬͯΓ·͢ɻ • ࠓͷͱ͜Ζɺfreeeͱ͍͏ձࣾʹ ॴଐ͍ͯ͠·͢ɻ • झຯ͸มͳTγϟπΛணΔ͜ͱɻ

   23:00͔Βχϡʔε൪૊ͷ࣮گΛ ͢Δ͜ͱͰ͢ɻ • কདྷ͸σΟετϐΞͳੈքͰ೴ ਷ʹͳͬͯ༨ੜΛա͍ͨ͝͠ɻ

3. ࠓ೔࿩͢͜ͱ

4. ͷલʹ OmniAuthʹ͍ͭͯ

5. OmniAuthʹ͍ͭͯͷৼΓฦΓ • WebΞϓϦέʔγϣϯʹͯϓϩόΠμೝূͷखஈΛఏڙ͢ ΔϥΠϒϥϦ • ޠฐΛڪΕͣʹݴ͑͹ɺ͍ΘΏΔOAuthೝূ(Twitterɺ GithubɺGoogle, etc)ΛؾܰʹఏڙͰ͖ΔϥΠϒϥϦ • ࣗલͷOAuthೝূ΋࣮૷͢Δ͜ͱ͕Ͱ͖·͢ɻ

6. OmniAuthͰGithubΛݕࡧ • Repository 3k • Code 1M • Commits 66k

   • https://github.com/ search?q=omniauth • ͍ΘΏΔσϑΝΫτε λϯμʔυ

7. ຊ୊

8. وํ͸OmniAuth::AuthHash Λ஌͍ͬͯ·͔͢ʁ

9. OmniAuth::AuthHashʹ͍ͭͯ • ϓϩόΠμೝূޙ ʹؼͬͯ͘Δύϥ ϝʔλͷ஋ͷClass Ͱ͢ɻ • ͜ͷUMLਤͰ͸ Callback Phase͔

   ΒͷokͷฦΓ஋Ͱ ͢Ͷɻ

10. ࣮ࡍʹݟͨ΄͏͕ૣ͍

11. • rack middlewareɾRailsͷઆ໌ʹͳΔͱ޿͘ͳΔͷͰল͖ ·͢ɻ • ࠓճ͸Rails্ͰOmniAuthΛར༻͍ͯ͠ΔࣄΛલఏͰ͢ɻ

12. lib/omniauth/strategy.rb • ࣮ࡍʹOmniAuthͷιʔείʔυΛಡΜͰ͍͘ɻ • lib/omniauth/strategy.rb • Githubʹhosting͞Ε͍ͯ·͢ɻ • 1. L176:ͷcall!͔ΒL367:callback_phase͕ݺ͹Ε·͢ɻ

    • env['omniauth.auth'] = auth_hash • ͜ͷauth_hash͕ࠓճͷओ໾Ͱ͢ɻ

13. ControllerͰऔಘ͢Δ৔߹ • RailsଆͰ͸͜Μͳײ ͡ͰऔಘͰ͖·͢ɻ 1 class SessionController < ApplicationController 2

    def create 3 # do something 4 puts auth_hash 5 end 6 7 protected 8 9 def auth_hash 10 request.env['omniauth.auth'] 11 end 12 end

14. ͜ͷ͋ͱΑ͋͘Δॲཧ • ActiveModelͱͯ͠ද ݱΛߦ͏ • ActiveRecordͰRecord Λ௥Ճ͢Δ • αϯϓϧͱͯ͠͸ӈͷ Α͏ͳίʔυͰ͠ΐ͏

    ͔ɻ 1 class Github::Schema 2 include ActiveModel::Model 3 include ActiveModel::Attributes 4 5 validates :provider, :uid, presence: true 6 7 attribute :provider, :string 8 attribute :uid, :string 9 10 # do something 11 end 12 13 github = Github::Schema.new(auth_hash)

15. • ActiveModel::ForbiddenAttributesError

16. • ?????????????????? • Α͘Θ͔ΒΜ

17. Α͘Θ͔ΒΜɻ

18. ιʔείʔυΛ௥͏ɻ

19. OmniAuth::AuthHash • OmniAuth::AuthHash ͸ OmniAuth::KeyStore Λར༻͠ ͍ͯΔɻ • Hashieͱ͍͏module͕ఏڙ͍ͯ͠Δ Hashie::Mashͱ͍͏classΛܧঝ͍ͯ͠Δɻ

20. Hashie::Mash • Object#respond_to_missing? Λܧঝ͍ͯ͠Δɻ • Line:251ʹ࣮૷͕͋Γ·͕͢ɺsuffix͕ͭ͘ίʔυͳΒ໰ ౴ແ༻ͰtrueΛฦ͍ͯ͠Δɻ

21. ActiveModel::ForbbidenAttri butesErrorͱ͸ • Railsͷstrong parameterͱ͍͏࢓૊Έ

22. ActiveModel::ForbbidenAttri buteError 1 module ForbiddenAttributesProtection # :nodoc: 2 private 3

    def sanitize_for_mass_assignment(attributes) 4 if attributes.respond_to?(:permitted?) 5 raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? 6 attributes.to_h 7 else 8 attributes 9 end 10 end 11 alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment 12 end 13 end

23. צͷྑ͍ํ͸ࠓͷͰؾ ͔ͮ͘΋͠Εͳ͍ɻ

24. #ຊ౰ʹ͋Δා͍ίʔυ

25. ͜͜Ͱ΋͏Ұ౓ ActiveModel::ForbbidenAttributeError 1 module ForbiddenAttributesProtection # :nodoc: 2 private 3

    def sanitize_for_mass_assignment(attributes) 4 if attributes.respond_to?(:permitted?) 5 raise ActiveModel::ForbiddenAttributesError if !attributes.permitted? 6 attributes.to_h 7 else 8 attributes 9 end 10 end 11 alias :sanitize_forbidden_attributes :sanitize_for_mass_assignment 12 end 13 end

26. • Hashie͸ Object#respond_to_missing? Λܧঝ͓ͯ͠Γɺಛఆ ͷsuffix͕͍ͭͨίʔυͳΒશͯtrue͕ม͑ΔΑ͏ʹͳ͍ͬͯ Δɻ • Omniauth::AuthHash(Hashie)Λར༻ͯ͠ActiveModelΛ࡞Δ ͱɺsanitize_for_mass_assignmentʹͯpermit͞Εͨparameter ͔Λrespond_to?(:permitted?)Ͱݟ͍ͯΔ

    • if attributes.respond_to?(:permitted?)ͷॲཧ͕௨ͬͯ͠· ͏ɻ(͜͜Ͱ͍͏attributesͱ͸Omniauth::AuthHash) • ݁Ռͱͯ͠ɻActiveModel::ForbbidenAttributeError͕ൃੜ͢Δɻ

27. ͳͥHashieΛར༻͍ͯ͠Δͷ ͔ɾɾɾʁ • Θ͔ΒΜɻ • ා͍

28. ·ͱΊ • OmniAuth::AuthHash͸ͨͩͷHashClassͰ͸ͳ͍ɻ • Object#respond_to_missing? Λܧঝͯ͠ಠࣗʹॲཧΛ࣮૷͠ ͍ͯͨΓɺmethod໊͕suffixͳΒtrueΛฦ͢ͳͲɺRails͕ఏڙ ͍ͯ͠Δ Active* ܥͷModuleͱͷ૬ੑ͕ѱ͍ɻ

    • ૬ੑͱ͍͏͔ߦّ͕ѱ͍ɾɾɾʁ • ͦͷ··ར༻͢Δͷ͸ෆ۩߹ͷԹচʹͳΔͷͰɺ࠶ؼॲཧΛߦͬ ͯϓϨʔϯͳHashClassԽ͢ΔͳͲͷରԠΛ͓͢͢Ί͠·͢ɻ
29. None