Upgrade to Pro — share decks privately, control downloads, hide ads and more …

久々にコードを書いてOmniauthでハマった話

 久々にコードを書いてOmniauthでハマった話

Fukuoka.rb 200回 LT大会 (#202)
https://fukuokarb.connpass.com/event/206956/

B7bf4e80841a44f921665e88d874f2c3?s=128

Hiroaki Ninomiya

March 24, 2021
Tweet

Transcript

  1. OmniauthͰϋϚͬͨ࿩ 2021/03/24 Fukuoka.rb 200ճLTେձ @treby006

  2. About Me • treby (ͱΕͼʔ) • @treby006 • Shinjuku.rbͷੈ࿩໾

  3. About Me • ࣮͸(?)෱Ԭग़਎ • ෱Ԭࢢ౦۠/੢۠ɺେໂాࢢʹ༝ԑ͕͋Γ·͢

  4. About Me • ౎಺ಠཱܥϕϯνϟʔΩϟϐλϧۈ຿ • ελʔτΞοϓ޷͖͕ߴͯ͡ग़ࢿଆʹ • Ҏલ͸BtoC΍BtoBͷελʔτΞοϓͰRailsΤϯδχΞ • Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ

    • ITΛऔΓѻ͏͚Ͳɺۀ຿Ͱ͸ίʔυ͸ॻ͔ͳ͍
  5. About Me • ౎಺ಠཱܥϕϯνϟʔΩϟϐλϧۈ຿ • ελʔτΞοϓ޷͖͕ߴͯ͡ग़ࢿଆʹ • Ҏલ͸BtoC΍BtoBͷελʔτΞοϓͰRailsΤϯδχΞ • Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ

    • ITΛऔΓѻ͏͚Ͳɺۀ຿Ͱ͸ίʔυ͸ॻ͔ͳ͍ => ͚Ͳॻ͖͍ͨ
  6. ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋Δͷ೰Έ • ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰ͸ͳ͍͔ • ٕज़ྗ͕མͪͯ͠·͏ͷͰ͸ͳ͍͔ • ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰ͸ͳ͍͔ • ͍͔ͭ͠ΩϟϦΞ͕த్൒୺ʹͳͬͯ͠·͏ͷͰ͸ͳ͍͔ •

    ݱ৔ײ͕ͳ͘ͳͬͯ͠·͏ͷͰ͸ͳ͍͔
  7. ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋Δͷ೰Έ • ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰ͸ͳ͍͔ • ٕज़ྗ͕མͪͯ͠·͏ͷͰ͸ͳ͍͔ • ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰ͸ͳ͍͔ • ͍͔ͭ͠ΩϟϦΞ͕த్൒୺ʹͳͬͯ͠·͏ͷͰ͸ͳ͍͔ •

    ݱ৔ײ͕ͳ͘ͳͬͯ͠·͏ͷͰ͸ͳ͍͔
  8. ݱ৔ײ͕ͳ͘ͳΔͱԿ͕ྑ͘ͳ͍ͷ͔ • ۀ຿্ͷೳྗ͕௿Լ: ౤ࢿݕ౼ͷࡍͷ։ൃྗݟཱͯ(σϡʔσϦδΣϯε) • ໨ར͖͕Ͱ͖ͳ͘ͳ͍ͬͯ͘ͷͰ͸ʁ • ઐ໳Ոͱͯ͠ίϝϯτ͢Δ಺༰্͕׈Γͯ͠͠·͏ͷͰ͸ʁ • ͋Δࣄྫʹ৮Εͨ࣌ʹʮࣗ෼ͷݴ༿ʯͰ࿩ͤͳ͍΋Ͳ͔͠͞

    • Ͱ͸ɺͲ͏͢Δʁ
  9. ͦ͏ͩɺ։ൃ͠Α͏

  10. αΠυϓϩδΣΫτɺ͸͡Ί·ͨ͠ • ஌ਓͱझຯϓϩμΫτ࡞Γ / ։ൃΛ؅ঠ͢ΔཱͪҐஔ • LINEͷϛχΞϓϦ(ࠓ͸εςϧε) / ۙʑ͓൸࿐໨Ͱ͖Δͱྑ͍ͳ •

    جຊతʹ͸θϩ͔Βͷ্ཱͪ͛(1݄ʙ) • ։ൃج൫࡞Γ΍νʔϜϏϧσΟϯά΋Ͱָ͖͍ͯ͠
  11. γεςϜߏ੒ਤ

  12. ٕज़ελοΫ • ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ࢖༻) • Next.js on Vercel

    • αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku • omniauth • administrate • ridgepole • crono_trigger
  13. ٕज़ελοΫ • ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ࢖༻) • Next.js on Vercel

    • αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku • omniauth • administrate • ridgepole • crono_trigger
  14. omniauth • ϚϧνϓϩόΠμͷೝূΛఏڙ͢Δgem • ʮSNSϩάΠϯʯΛ࣮૷͢Δͷʹྑ͘࢖ΘΕΔΠϝʔδ • ࣮૷ʹ͸ར༻͍ͨ͠ϓϩόΠμ޲͚ͷϓϥάΠϯ͕ඞཁ • omniauth-twitter΍omniauth-githubͳͲ •

    ؅ཧը໘ͷ؆қϩάΠϯػೳͷͨΊʹ࠾༻ • LINEͷϛχΞϓϦͳͷͰLINEͱ਌࿨ੑ͕ߴ͍ • omniauth-line ͱҰॹʹಋೖͯ͠LINEϩάΠϯ࣮૷ͩʂ
  15. ಋೖ͸؆୯ • omniauth gemͱ࢖͍͍ͨϓϩόΠμͷgemΛbundleͯ͠ Gemfile gem 'omniauth' gem 'omniauth-line'

  16. ίʔϧόοΫΛड͚෇͚ΔΑ͏ʹͯ͠ • SessionsController ͱϧʔςΟϯάͷ४උ config/routes.rb get '/auth/:provider/callback', to: 'sessions#callback' post

    '/auth/:provider/callback', to: 'sessions#callback' get '/logout', to: 'sessions#destroy', as: :logout
  17. ϩάΠϯඞཁͳActionʹϦμΠϨΫτΛઃఆ AdminController before_action :authenticate_admin def authenticate_admin if current_admin_challenger.nil? redirect_to '/admin/auth/line'

    end end
  18. Callback URLͷϗϫΠτϦετొ࿥(LINE)

  19. Α࣮͠ߦͩ

  20. ͏·͍͔͘ͳ͍orz

  21. ૝ఆ֎ͷΤϥʔͩͬͨͷͰ • ϧʔςΟϯά͕ؒҧ͍ͬͯΔͷͰ͸ͳ͍͔ • typo͸ͳ͍͔ • omniauth-line ͕ϝϯς͞Ε͍ͯͳ͍ͷͰ͸ • omniauth

    ͷgem·ͰΈʹ͍ͬͨ
  22. ḷΓண͍ͨͷ͸ • omniauthͷ࢓༷มߋ • 2019೥ࠒͷมߋͰͨ͠ɻࣗ෼ͷແ஌͞Α…… • എܠ: ੬ऑੑCVE-2015-9284 ରԠΒ͍͠ •

    CSRF͞ΕΔϦεΫ͕͋ΔΑ • GETͰ͍͚Δ͔Βҙਤ͠ͳ͍ϩάΠϯͤ͞ΒΕΔΑͶ(ͱ͍͏ཧղ) • ੬ऑੑ͔ͩΒରԠͨ͠ํ͕ྑ͍ • ͪΐͬͱ௚ͤ͹ྑ͍ͷͰ͸ͳ͘ɺ஍ຯʹରԠ͕໘౗
  23. ྑ͘ͳ͍͚ͲɺΦϓγϣϯΛແޮԽͯ͠ରԠ • ੬ऑੑ͸࢒ΔΘ͚Ͱ͕͢ɺҰ୴͸ྑ͍͔ͳɺͱ͍͏൑அ • ͜ΕͰಈ͖·ͨ͠ config/initializers/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do configure

    do |config| config.allowed_request_methods = %i[get post] config.silence_get_warning = true end : end
  24. ͪΌΜͱରԠ͢ΔͳΒ • gemͬΆ͍΋ͷ͸ଘࡏ͍ͯ͠Δ: ೖΕΕ͹ྑ͍ͱ͍͏Θ͚Ͱͳ͍? • https://github.com/cookpad/omniauth-railscsrfprotection • ҰճϩάΠϯϘλϯ͕͋Δϖʔδʹඈ͹͢ײ͡ • ϦμΠϨΫτͰPOSTͤ͞Δͷͬͯ೉͘͠ͳ͍ʁ

    • ৄ͘͠ͳ͍ͷͰڭ͍͑ͯͩ͘͞><
  25. ·ͱΊ • αΠυϓϩδΣΫτ͸͍͍ͧ • ݱ৔ײɺഓ͍ͬͯͧ͘ʂ • gemͷߋ৽ʹશવ͍͍͚ͭͯͯͳͯ͘ϫϩλ • खΛಈ͔ͯٔ͠ΕΔ͜ͱେࣄ

  26. એ఻ • ϙουΩϟετΛ΍͍ͬͯΔͷͰྑ͔ͬͨΒௌ͍ͯͶ • ࿩ͯ͘͠Εͯ΋͍͍ͷΑ

  27. Happy Hacking!!