The latest articles on DEV Community by Federico Meini (@fedme). https://dev.to/fedme https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F684274%2F3640df45-97e4-4d72-a214-e4e70d3dc0db.png https://dev.to/fedme en Federico Meini Wed, 11 Aug 2021 13:00:01 +0000 https://dev.to/fedme/uberauth-how-to-keep-state-between-request-and-callback-1hb7 https://dev.to/fedme/uberauth-how-to-keep-state-between-request-and-callback-1hb7 <p><a href="https://github.com/ueberauth/ueberauth">Überauth</a> is probably the go-to OAuth login extension for Elixir projects. </p> <p>The team behind the library has recently improved its security against <a href="https://github.com/ueberauth/ueberauth_google/pull/82">CSRF attacks</a>. Unfortunately, the security improvement comes at a cost for the end user, as it is now impossible to keep state between the <em>request</em> and <em>callback</em> phases of the OAuth process.</p> <h2> Background </h2> <p>Most OAuth providers (e.g. <em>Google</em>) allow developers to pass custom state inside a <code>state</code> query parameter as part od the <em>request</em> URL. The OAuth provider then passes the state back when calling our <em>callback</em> endpoint.</p> <p>Überauth now uses the <code>state</code> query parameter to pass the CSRF token, overwriting whatever custom state developers put in the request URL.</p> <h2> Workaround </h2> <p>Luckily, there is another way. We can put our custom state in a session cookie in the <a href="https://github.com/ueberauth/ueberauth#request-phase">request phase</a> and retrieve it from the session in the <a href="https://github.com/ueberauth/ueberauth#callback-phase">callback phase</a>.</p> <h3> Code example </h3> <p>The following code snippet shows how to save some custom state in the session cookie and retrieve in the <em>callback</em> phase of the OAuth flow.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight elixir"><code><span class="k">defmodule</span> <span class="no">MyAppWeb</span><span class="o">.</span><span class="no">AuthController</span> <span class="k">do</span> <span class="kn">use</span> <span class="no">MyAppWeb</span><span class="p">,</span> <span class="ss">:controller</span> <span class="n">plug</span><span class="p">(</span><span class="no">Ueberauth</span><span class="p">,</span> <span class="ss">providers:</span> <span class="p">[</span><span class="ss">:google_custom</span><span class="p">])</span> <span class="nv">@provider_config</span> <span class="p">{</span><span class="no">Ueberauth</span><span class="o">.</span><span class="no">Strategy</span><span class="o">.</span><span class="no">Google</span><span class="p">,</span> <span class="p">[</span><span class="ss">default_scope:</span> <span class="s2">"email profile"</span><span class="p">]}</span> <span class="k">def</span> <span class="n">request</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="p">%{</span><span class="s2">"provider"</span> <span class="o">=&gt;</span> <span class="s2">"google"</span><span class="p">,</span> <span class="s2">"custom_state"</span> <span class="o">=&gt;</span> <span class="n">custom_state</span><span class="p">)</span> <span class="k">do</span> <span class="c1"># Store custom state in the session</span> <span class="n">conn</span> <span class="o">|&gt;</span> <span class="n">put_session</span><span class="p">(</span><span class="ss">:auth_custom_state</span><span class="p">,</span> <span class="n">custom_state</span><span class="p">)</span> <span class="o">|&gt;</span> <span class="no">Ueberauth</span><span class="o">.</span><span class="n">run_request</span><span class="p">(</span><span class="s2">"google"</span><span class="p">,</span> <span class="nv">@provider_config</span><span class="p">)</span> <span class="k">end</span> <span class="k">def</span> <span class="n">callback</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="n">params</span><span class="p">)</span> <span class="k">do</span> <span class="p">%{</span><span class="ss">assigns:</span> <span class="p">%{</span><span class="ss">ueberauth_auth:</span> <span class="n">auth</span><span class="p">}}</span> <span class="o">=</span> <span class="n">conn</span> <span class="o">|&gt;</span> <span class="no">Ueberauth</span><span class="o">.</span><span class="n">run_callback</span><span class="p">(</span><span class="s2">"google"</span><span class="p">,</span> <span class="nv">@provider_config</span><span class="p">)</span> <span class="c1"># Get custom state back from session</span> <span class="n">auth_custom_state</span> <span class="o">=</span> <span class="n">get_session</span><span class="p">(</span><span class="n">conn</span><span class="p">,</span> <span class="ss">:auth_custom_state</span><span class="p">)</span> <span class="no">IO</span><span class="o">.</span><span class="n">inspect</span><span class="p">(</span><span class="n">auth_custom_state</span><span class="p">,</span> <span class="ss">label:</span> <span class="s2">"Auth custom state"</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>With that code, I am able to start the OAuth flow passing some custom state in the URL (e.g. <code>https://localhost:4000/auth/google?custom_state=some_values_here</code>) and then take it back from the session in the <code>callback</code> function.</p> elixir ueberauth oauth authentication