Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
久々にコードを書いてOmniauthでハマった話
Search
Hiroaki Ninomiya
March 24, 2021
Programming
0
910
久々にコードを書いてOmniauthでハマった話
Fukuoka.rb 200回 LT大会 (#202)
https://fukuokarb.connpass.com/event/206956/
Hiroaki Ninomiya
March 24, 2021
Tweet
Share
More Decks by Hiroaki Ninomiya
See All by Hiroaki Ninomiya
渋谷アジャイルコミュニティへの想い #shibuyagile
treby
0
200
IM@Study活動紹介
treby
1
470
全ての雑用を、生まれる前に消し去りたい
treby
0
440
Webエンジニアからデータエンジニアへ転向している話 #pronama
treby
0
340
Rails 6.0の気になった新機能 #shuuumai
treby
1
650
Shinjuku.rbの移り変わりについて、あるいは大規模カンファレンスの知見を募集したい話 #tqrk13
treby
1
140
EMの悩みにフォーカスする #em_izakaya
treby
0
520
この先生きのこるためのエンジニアキャリア戦略パターン #em_meetup
treby
5
2.4k
失敗から学ぶEM方法論 #em_meetup
treby
0
1.4k
Other Decks in Programming
See All in Programming
feature環境をGitHub ActionsとCloudFormationでいい感じに管理する
nealle
2
310
Namespace on read
tagomoris
2
370
ぼっちを避けて楽しむためのアノテコノテ / Various Tips and Tricks to Avoid Loneliness and Have Fun
nrslib
3
1.7k
Jetpack for KMP
fornewid
1
290
Harnessing Large Language Models for Training-free Video Anomaly Detection
tereka114
1
1.3k
Findy - エンジニア向け会社紹介 / Findy Letter for Engineers
findyinc
2
81k
みんなのオブザーバビリティプラットフォームを作ってるんだがパフォーマンスがやばい #mackerelio #srenext
ne_sachirou
0
370
TiDB Serverless ~理想のServerless DBを考える~
soso_15315
1
160
Activities at Cairo Library
cairolibrary720
0
1.2k
I/O Extended Android in Korea 2024 ~ Whats new in Android development tools
pluu
0
250
Modern Angular: Renovation for Your Applications
manfredsteyer
PRO
0
140
The rollercoaster of releasing an Android, iOS, and macOS app with Kotlin Multiplatform | droidcon Berlin
prof18
0
110
Featured
See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
113
6.6k
Code Review Best Practice
trishagee
58
16k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
24
1.8k
What the flash - Photography Introduction
edds
65
11k
Become a Pro
speakerdeck
PRO
15
4.8k
Building Flexible Design Systems
yeseniaperezcruz
323
37k
Building Effective Engineering Teams - LeadDev
addyosmani
47
2.2k
Git: the NoSQL Database
bkeepers
PRO
423
64k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
39
47k
The Invisible Side of Design
smashingmag
294
50k
Six Lessons from altMBA
skipperchong
24
3.2k
Transcript
OmniauthͰϋϚͬͨ 2021/03/24 Fukuoka.rb 200ճLTେձ @treby006
About Me • treby (ͱΕͼʔ) • @treby006 • Shinjuku.rbͷੈ
About Me • ࣮(?)Ԭग़ • Ԭࢢ౦۠/۠ɺେໂాࢢʹ༝ԑ͕͋Γ·͢
About Me • ಠཱܥϕϯνϟʔΩϟϐλϧۈ • ελʔτΞοϓ͖͕ߴͯ͡ग़ࢿଆʹ • ҎલBtoCBtoBͷελʔτΞοϓͰRailsΤϯδχΞ • Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ
• ITΛऔΓѻ͏͚ͲɺۀͰίʔυॻ͔ͳ͍
About Me • ಠཱܥϕϯνϟʔΩϟϐλϧۈ • ελʔτΞοϓ͖͕ߴͯ͡ग़ࢿଆʹ • ҎલBtoCBtoBͷελʔτΞοϓͰRailsΤϯδχΞ • Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ
• ITΛऔΓѻ͏͚ͲɺۀͰίʔυॻ͔ͳ͍ => ͚Ͳॻ͖͍ͨ
ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋ΔͷΈ • ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰͳ͍͔ • ٕज़ྗ͕མͪͯ͠·͏ͷͰͳ͍͔ • ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰͳ͍͔ • ͍͔ͭ͠ΩϟϦΞ͕த్ʹͳͬͯ͠·͏ͷͰͳ͍͔ •
ݱײ͕ͳ͘ͳͬͯ͠·͏ͷͰͳ͍͔
ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋ΔͷΈ • ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰͳ͍͔ • ٕज़ྗ͕མͪͯ͠·͏ͷͰͳ͍͔ • ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰͳ͍͔ • ͍͔ͭ͠ΩϟϦΞ͕த్ʹͳͬͯ͠·͏ͷͰͳ͍͔ •
ݱײ͕ͳ͘ͳͬͯ͠·͏ͷͰͳ͍͔
ݱײ͕ͳ͘ͳΔͱԿ͕ྑ͘ͳ͍ͷ͔ • ۀ্ͷೳྗ͕Լ: ࢿݕ౼ͷࡍͷ։ൃྗݟཱͯ(σϡʔσϦδΣϯε) • ར͖͕Ͱ͖ͳ͘ͳ͍ͬͯ͘ͷͰʁ • ઐՈͱͯ͠ίϝϯτ͢Δ༰্͕Γͯ͠͠·͏ͷͰʁ • ͋Δࣄྫʹ৮Εͨ࣌ʹʮࣗͷݴ༿ʯͰͤͳ͍Ͳ͔͠͞
• ͰɺͲ͏͢Δʁ
ͦ͏ͩɺ։ൃ͠Α͏
αΠυϓϩδΣΫτɺ͡Ί·ͨ͠ • ਓͱझຯϓϩμΫτ࡞Γ / ։ൃΛঠ͢ΔཱͪҐஔ • LINEͷϛχΞϓϦ(ࠓεςϧε) / ۙʑ͓൸࿐Ͱ͖Δͱྑ͍ͳ •
جຊతʹθϩ͔Βͷ্ཱͪ͛(1݄ʙ) • ։ൃج൫࡞ΓνʔϜϏϧσΟϯάͰָ͖͍ͯ͠
γεςϜߏਤ
ٕज़ελοΫ • ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ༻) • Next.js on Vercel
• αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku • omniauth • administrate • ridgepole • crono_trigger
ٕज़ελοΫ • ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ༻) • Next.js on Vercel
• αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku • omniauth • administrate • ridgepole • crono_trigger
omniauth • ϚϧνϓϩόΠμͷೝূΛఏڙ͢Δgem • ʮSNSϩάΠϯʯΛ࣮͢Δͷʹྑ͘ΘΕΔΠϝʔδ • ࣮ʹར༻͍ͨ͠ϓϩόΠμ͚ͷϓϥάΠϯ͕ඞཁ • omniauth-twitteromniauth-githubͳͲ •
ཧը໘ͷ؆қϩάΠϯػೳͷͨΊʹ࠾༻ • LINEͷϛχΞϓϦͳͷͰLINEͱੑ͕ߴ͍ • omniauth-line ͱҰॹʹಋೖͯ͠LINEϩάΠϯ࣮ͩʂ
ಋೖ؆୯ • omniauth gemͱ͍͍ͨϓϩόΠμͷgemΛbundleͯ͠ Gemfile gem 'omniauth' gem 'omniauth-line'
ίʔϧόοΫΛड͚͚ΔΑ͏ʹͯ͠ • SessionsController ͱϧʔςΟϯάͷ४උ config/routes.rb get '/auth/:provider/callback', to: 'sessions#callback' post
'/auth/:provider/callback', to: 'sessions#callback' get '/logout', to: 'sessions#destroy', as: :logout
ϩάΠϯඞཁͳActionʹϦμΠϨΫτΛઃఆ AdminController before_action :authenticate_admin def authenticate_admin if current_admin_challenger.nil? redirect_to '/admin/auth/line'
end end
Callback URLͷϗϫΠτϦετొ(LINE)
Α࣮͠ߦͩ
͏·͍͔͘ͳ͍orz
ఆ֎ͷΤϥʔͩͬͨͷͰ • ϧʔςΟϯά͕ؒҧ͍ͬͯΔͷͰͳ͍͔ • typoͳ͍͔ • omniauth-line ͕ϝϯς͞Ε͍ͯͳ͍ͷͰ • omniauth
ͷgem·ͰΈʹ͍ͬͨ
ḷΓண͍ͨͷ • omniauthͷ༷มߋ • 2019ࠒͷมߋͰͨ͠ɻࣗͷແ͞Α…… • എܠ: ੬ऑੑCVE-2015-9284 ରԠΒ͍͠ •
CSRF͞ΕΔϦεΫ͕͋ΔΑ • GETͰ͍͚Δ͔Βҙਤ͠ͳ͍ϩάΠϯͤ͞ΒΕΔΑͶ(ͱ͍͏ཧղ) • ੬ऑੑ͔ͩΒରԠͨ͠ํ͕ྑ͍ • ͪΐͬͱͤྑ͍ͷͰͳ͘ɺຯʹରԠ͕໘
ྑ͘ͳ͍͚ͲɺΦϓγϣϯΛແޮԽͯ͠ରԠ • ੬ऑੑΔΘ͚Ͱ͕͢ɺҰ୴ྑ͍͔ͳɺͱ͍͏அ • ͜ΕͰಈ͖·ͨ͠ config/initializers/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do configure
do |config| config.allowed_request_methods = %i[get post] config.silence_get_warning = true end : end
ͪΌΜͱରԠ͢ΔͳΒ • gemͬΆ͍ͷଘࡏ͍ͯ͠Δ: ೖΕΕྑ͍ͱ͍͏Θ͚Ͱͳ͍? • https://github.com/cookpad/omniauth-railscsrfprotection • ҰճϩάΠϯϘλϯ͕͋Δϖʔδʹඈ͢ײ͡ • ϦμΠϨΫτͰPOSTͤ͞Δͷͬͯ͘͠ͳ͍ʁ
• ৄ͘͠ͳ͍ͷͰڭ͍͑ͯͩ͘͞><
·ͱΊ • αΠυϓϩδΣΫτ͍͍ͧ • ݱײɺഓ͍ͬͯͧ͘ʂ • gemͷߋ৽ʹશવ͍͍͚ͭͯͯͳͯ͘ϫϩλ • खΛಈ͔ͯٔ͠ΕΔ͜ͱେࣄ
એ • ϙουΩϟετΛ͍ͬͯΔͷͰྑ͔ͬͨΒௌ͍ͯͶ • ͯ͘͠Ε͍͍ͯͷΑ
Happy Hacking!!