久々にコードを書いてOmniauthでハマった話

Transcript

1. OmniauthͰϋϚͬͨ࿩ 2021/03/24 Fukuoka.rb 200ճLTେձ @treby006

2. About Me • treby (ͱΕͼʔ) • @treby006 • Shinjuku.rbͷੈ࿩໾

3. About Me • ࣮͸(?)෱Ԭग़਎ • ෱Ԭࢢ౦۠/੢۠ɺେໂాࢢʹ༝ԑ͕͋Γ·͢

4. About Me • ౎಺ಠཱܥϕϯνϟʔΩϟϐλϧۈ຿ • ελʔτΞοϓ޷͖͕ߴͯ͡ग़ࢿଆʹ • Ҏલ͸BtoC΍BtoBͷελʔτΞοϓͰRailsΤϯδχΞ • Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ

   • ITΛऔΓѻ͏͚Ͳɺۀ຿Ͱ͸ίʔυ͸ॻ͔ͳ͍

5. About Me • ౎಺ಠཱܥϕϯνϟʔΩϟϐλϧۈ຿ • ελʔτΞοϓ޷͖͕ߴͯ͡ग़ࢿଆʹ • Ҏલ͸BtoC΍BtoBͷελʔτΞοϓͰRailsΤϯδχΞ • Rubyք۾ͩͱʮjoker͞Μ͕͍Δͱ͜ʯͰ௨͡Δ͔Βָ

   • ITΛऔΓѻ͏͚Ͳɺۀ຿Ͱ͸ίʔυ͸ॻ͔ͳ͍ => ͚Ͳॻ͖͍ͨ

6. ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋Δͷ೰Έ • ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰ͸ͳ͍͔ • ٕज़ྗ͕མͪͯ͠·͏ͷͰ͸ͳ͍͔ • ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰ͸ͳ͍͔ • ͍͔ͭ͠ΩϟϦΞ͕த్൒୺ʹͳͬͯ͠·͏ͷͰ͸ͳ͍͔ •

   ݱ৔ײ͕ͳ͘ͳͬͯ͠·͏ͷͰ͸ͳ͍͔

7. ίʔυΛॻ͔ͳ͘ͳͬͯ͠·ͬͨਓ͋Δ͋Δͷ೰Έ • ࠷৽ͷٕज़ΛΩϟονΞοϓͰ͖ͳ͘ͳΔͷͰ͸ͳ͍͔ • ٕज़ྗ͕མͪͯ͠·͏ͷͰ͸ͳ͍͔ • ࣍ʹస৬ͨ͠ͱ͖ʹ։ൃऀͱͯ͠৯͍ͬͺ͙ΕΔͷͰ͸ͳ͍͔ • ͍͔ͭ͠ΩϟϦΞ͕த్൒୺ʹͳͬͯ͠·͏ͷͰ͸ͳ͍͔ •

   ݱ৔ײ͕ͳ͘ͳͬͯ͠·͏ͷͰ͸ͳ͍͔

8. ݱ৔ײ͕ͳ͘ͳΔͱԿ͕ྑ͘ͳ͍ͷ͔ • ۀ຿্ͷೳྗ͕௿Լ: ౤ࢿݕ౼ͷࡍͷ։ൃྗݟཱͯ(σϡʔσϦδΣϯε) • ໨ར͖͕Ͱ͖ͳ͘ͳ͍ͬͯ͘ͷͰ͸ʁ • ઐ໳Ոͱͯ͠ίϝϯτ͢Δ಺༰্͕׈Γͯ͠͠·͏ͷͰ͸ʁ • ͋Δࣄྫʹ৮Εͨ࣌ʹʮࣗ෼ͷݴ༿ʯͰ࿩ͤͳ͍΋Ͳ͔͠͞

   • Ͱ͸ɺͲ͏͢Δʁ

9. ͦ͏ͩɺ։ൃ͠Α͏

10. αΠυϓϩδΣΫτɺ͸͡Ί·ͨ͠ • ஌ਓͱझຯϓϩμΫτ࡞Γ / ։ൃΛ؅ঠ͢ΔཱͪҐஔ • LINEͷϛχΞϓϦ(ࠓ͸εςϧε) / ۙʑ͓൸࿐໨Ͱ͖Δͱྑ͍ͳ •

    جຊతʹ͸θϩ͔Βͷ্ཱͪ͛(1݄ʙ) • ։ൃج൫࡞Γ΍νʔϜϏϧσΟϯά΋Ͱָ͖͍ͯ͠

11. γεςϜߏ੒ਤ

12. ٕज़ελοΫ • ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ࢖༻) • Next.js on Vercel

    • αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku • omniauth • administrate • ridgepole • crono_trigger

13. ٕज़ελοΫ • ϑϩϯτ(LIFFΞϓϦ): Vue CLI (webpackerෆ࢖༻) • Next.js on Vercel

    • αʔό: Rails 6.1.3 (Ruby 3.0) on Heroku • omniauth • administrate • ridgepole • crono_trigger

14. omniauth • ϚϧνϓϩόΠμͷೝূΛఏڙ͢Δgem • ʮSNSϩάΠϯʯΛ࣮૷͢Δͷʹྑ͘࢖ΘΕΔΠϝʔδ • ࣮૷ʹ͸ར༻͍ͨ͠ϓϩόΠμ޲͚ͷϓϥάΠϯ͕ඞཁ • omniauth-twitter΍omniauth-githubͳͲ •

    ؅ཧը໘ͷ؆қϩάΠϯػೳͷͨΊʹ࠾༻ • LINEͷϛχΞϓϦͳͷͰLINEͱ਌࿨ੑ͕ߴ͍ • omniauth-line ͱҰॹʹಋೖͯ͠LINEϩάΠϯ࣮૷ͩʂ

15. ಋೖ͸؆୯ • omniauth gemͱ࢖͍͍ͨϓϩόΠμͷgemΛbundleͯ͠ Gemfile gem 'omniauth' gem 'omniauth-line'

16. ίʔϧόοΫΛड͚෇͚ΔΑ͏ʹͯ͠ • SessionsController ͱϧʔςΟϯάͷ४උ config/routes.rb get '/auth/:provider/callback', to: 'sessions#callback' post

    '/auth/:provider/callback', to: 'sessions#callback' get '/logout', to: 'sessions#destroy', as: :logout

17. ϩάΠϯඞཁͳActionʹϦμΠϨΫτΛઃఆ AdminController before_action :authenticate_admin def authenticate_admin if current_admin_challenger.nil? redirect_to '/admin/auth/line'

    end end

18. Callback URLͷϗϫΠτϦετొ࿥(LINE)

19. Α࣮͠ߦͩ

20. ͏·͍͔͘ͳ͍orz

21. ૝ఆ֎ͷΤϥʔͩͬͨͷͰ • ϧʔςΟϯά͕ؒҧ͍ͬͯΔͷͰ͸ͳ͍͔ • typo͸ͳ͍͔ • omniauth-line ͕ϝϯς͞Ε͍ͯͳ͍ͷͰ͸ • omniauth

    ͷgem·ͰΈʹ͍ͬͨ

22. ḷΓண͍ͨͷ͸ • omniauthͷ࢓༷มߋ • 2019೥ࠒͷมߋͰͨ͠ɻࣗ෼ͷແ஌͞Α…… • എܠ: ੬ऑੑCVE-2015-9284 ରԠΒ͍͠ •

    CSRF͞ΕΔϦεΫ͕͋ΔΑ • GETͰ͍͚Δ͔Βҙਤ͠ͳ͍ϩάΠϯͤ͞ΒΕΔΑͶ(ͱ͍͏ཧղ) • ੬ऑੑ͔ͩΒରԠͨ͠ํ͕ྑ͍ • ͪΐͬͱ௚ͤ͹ྑ͍ͷͰ͸ͳ͘ɺ஍ຯʹରԠ͕໘౗

23. ྑ͘ͳ͍͚ͲɺΦϓγϣϯΛແޮԽͯ͠ରԠ • ੬ऑੑ͸࢒ΔΘ͚Ͱ͕͢ɺҰ୴͸ྑ͍͔ͳɺͱ͍͏൑அ • ͜ΕͰಈ͖·ͨ͠ config/initializers/omniauth.rb Rails.application.config.middleware.use OmniAuth::Builder do configure

    do |config| config.allowed_request_methods = %i[get post] config.silence_get_warning = true end : end

24. ͪΌΜͱରԠ͢ΔͳΒ • gemͬΆ͍΋ͷ͸ଘࡏ͍ͯ͠Δ: ೖΕΕ͹ྑ͍ͱ͍͏Θ͚Ͱͳ͍? • https://github.com/cookpad/omniauth-railscsrfprotection • ҰճϩάΠϯϘλϯ͕͋Δϖʔδʹඈ͹͢ײ͡ • ϦμΠϨΫτͰPOSTͤ͞Δͷͬͯ೉͘͠ͳ͍ʁ

    • ৄ͘͠ͳ͍ͷͰڭ͍͑ͯͩ͘͞><

25. ·ͱΊ • αΠυϓϩδΣΫτ͸͍͍ͧ • ݱ৔ײɺഓ͍ͬͯͧ͘ʂ • gemͷߋ৽ʹશવ͍͍͚ͭͯͯͳͯ͘ϫϩλ • खΛಈ͔ͯٔ͠ΕΔ͜ͱେࣄ

26. એ఻ • ϙουΩϟετΛ΍͍ͬͯΔͷͰྑ͔ͬͨΒௌ͍ͯͶ • ࿩ͯ͘͠Εͯ΋͍͍ͷΑ

27. Happy Hacking!!