Support for concurrent authentication (multiple states and origins)

[pierre-pretorius]

Consider a scenario where you only allow your users to authenticate against a single oauth2 provider such as Google. With this scenario it's common not to have a login page and just immediately attempt authentication against the oauth2 provider. If the user starts up his browser and restores multiple tabs of your application, all these tabs redirect to the provider login screen. If the user then signs in on each tab he gets a CSRF error on all except the last tab that opened on your application callback because this gem only allows one state parameter in the session. Furthermore it doesn't redirect back to the origin correctly because it only stores one origin as well. This pull request stores multiple state parameters in the session and an origin for each of the states.

[coveralls]

Coverage decreased (-6.4%) to 78.571% when pulling 24b847d on pierre-pretorius:multiple_origins into 464fcef on intridea:master.

[coveralls]

Coverage decreased (-6.4%) to 78.571% when pulling 24b847d on pierre-pretorius:multiple_origins into 464fcef on intridea:master.

[coveralls]

Coverage decreased (-6.4%) to 78.571% when pulling e246fa9 on pierre-pretorius:multiple_origins into 464fcef on intridea:master.

[coveralls]

Coverage decreased (-6.4%) to 78.571% when pulling e246fa9 on pierre-pretorius:multiple_origins into 464fcef on intridea:master.

[coveralls]

Coverage decreased (-6.4%) to 78.571% when pulling e246fa9 on pierre-pretorius:multiple_origins into 464fcef on intridea:master.

[justinhoward]

This is related to #95 and also seems like a duplicate of #88 and #75. Anyway, a lot of people seem interested in a fix for these issues.

• Allow authorization after user clicks the back button, returning to the provider login form (multiple use of the same state).
• Allow simultaneous login from multiple providers or multiple tabs (multiple simultaneous states).

[renchap]

This will fix a lot of issues related to the state CSRF mechanism. It is good to have it here to prevent CSRF attempts but the current implementation is way to strict.
I would love to have this PR (or one of the mentionned above) merged.

is it anything I can do to get it merged @tmilewski ?

[tmilewski]

I'll have to take a look through all of this later.

That said, any help would be greatly appreciated! At first glance, the big things, at this point, would be adding specs and getting it to pass CI.

[senny]

Just wanted to drop a quick note that we are seeing exactly the issue described in the PR. We use a single oauth provider for authentication and do indeed trigger authentication right away. When two or more tabs are going through authentication at the same time, csrf_detected errors are happening.

Any chances to get this patch finalized?

[xhyrom]

Is this gonna happen or should i cherry pick?