In spite of a javascript-enabled cucumber scenario in our tests in specialist publisher, we failed to spot that we were failing to pass the CSRF token in an Ajax request for previewing documents in the specialist publisher.

In other words, the cucumber scenario worked fine, but the preview button actually failed due to the lack of CSRF.

We tracked this down to the the interaction between the CSRF forgery protection and the 'mock' authentication strategy in gds-sso.

If CSRF verification fails, the default behaviour is to clear the session.

However, in test-mode gds-sso does not pay attention to the session it always treats the user as authenticated, by just loading the first user from the database.

It would be good to figure out a general-purpose fix for this issue so that everyone can rely on cucumber-style tests to verify CSRF behaviour.

We should review the design of the mock_gds_sso strategy to see if there's a way to achieve this.

As there is no lockfile, its testing against rails 4.0 instead of 3.0

Having used gds-sso for the first time I'm not happy with it's behaviour in test and development environments. It currently forces a mock-login in those environments. This causes a few issues:

• Makes it nearly impossible to test system's behaviour with unauthenticated users
• Increases potential of security issues as behaviour in dev/test environments is very different from production

The latter point is made even more dangerous by the fact that controllers need to be "blacklisted" by adding before_action: authenticate_user! (v.s. explicitly opting them out from authentication). If a developer forgets to "blacklist" a controller they would not notice the fact authentication is missing, because all requests in dev/test are mock-authenticated automatically.

Currently devs can set GDS_SSO_STRATEGY=real to do manual testing locally, however this does not allow switching it on/off for different tests as it is evaluated only once at the application load time. This mock-auth behaviour could be controlled by a config flag that could be changed on a per-test basis. This would allow us to keep the behaviour as it is for existing apps at the same time recommending better defaults for new application developers in documentation.

Any thoughts?

Example: we might want to provide "preview" functionality for a publishing feature, but we don't want to write out own stub that mirrors all the behaviour of GDS::SSO users in our functional test setup method.

If you could provide one for gem consumers that'd be awesome.

RubyGems.org doesn't report a license for your gem. This is because it is not specified in the gemspec of your last release.

via e.g.

spec.license = 'MIT'
# or
spec.licenses = ['MIT', 'GPL-2']

Including a license in your gemspec is an easy way for rubygems.org and other tools to check how your gem is licensed. As you can imagine, scanning your repository for a LICENSE file or parsing the README, and then attempting to identify the license or licenses is much more difficult and more error prone. So, even for projects that already specify a license, including a license in your gemspec is a good practice. See, for example, how rubygems.org uses the gemspec to display the rails gem license.

There is even a License Finder gem to help companies/individuals ensure all gems they use meet their licensing needs. This tool depends on license information being available in the gemspec. This is an important enough issue that even Bundler now generates gems with a default 'MIT' license.

I hope you'll consider specifying a license in your gemspec. If not, please just close the issue with a nice message. In either case, I'll follow up. Thanks for your time!

Appendix:

If you need help choosing a license (sorry, I haven't checked your readme or looked for a license file), GitHub has created a license picker tool. Code without a license specified defaults to 'All rights reserved'-- denying others all rights to use of the code.
Here's a list of the license names I've found and their frequencies

p.s. In case you're wondering how I found you and why I made this issue, it's because I'm collecting stats on gems (I was originally looking for download data) and decided to collect license metadata,too, and make issues for gemspecs not specifying a license as a public service :). See the previous link or my blog post about this project for more information.

On Rails 4 apps we have to overwrite the find_for_gds_oauth method on User because update_attributes does not take an :as option, see: https://github.com/rails/rails/blob/582a90c09386839d7374fa1933ca4d805e1140a1/activerecord/lib/active_record/persistence.rb#L225

For examples of the override see: https://github.com/alphagov/hmrc-contacts/blob/master/app/models/user.rb#L11

As attr_protected had been removed, can we edit this so that we do not pass in an option?

In our logs I'm seeing errors when apps try and sync permissions, skip_before_action :verify_authenticity_token should be added to the users controller

As I mentioned privately to @boffbowsh -- I'm a good way along with making this gem Rails 5 compatible and am keen to keep our changes going upstream.

One outstanding issue is Rails 5 dropping support for Rubies earlier than 2.2.2, thanks to Rack 2's requirements.

I couldn't remember if you folks still maintain projects targeting earlier rubies so perhaps this is a non-issue? If you do, we could still maintain backwards compatibility for those older Ruby / Rails versions but would likely suffer a wall of deprecation messages when running in the context of Rails 5.x. There are of course workarounds we could employ -- checking the Rails version at runtime and doing the Right Thing:tm:.

Happy to take a steer on your most favoured approach. Thoughts?

We currently support usage of this gem in the context of both Ruby 1.9.3 and Rails 3.2 but our applications and services have since moved on from here. We should end support for these versions.

The issue arises when an application calls back to itself via AJAX from the client - say to bind a UI element to a collection of JSON resources.

The user is authenticated, has a current session and the client library will pass the session cookie - so there is no need to authenticate via other means. However, the presence of the HTTP_ACCEPT: application/json header / value dictates the (gds-sso) hosting application will determine the call "API" in nature and will attempt to authenticate via a bearer-token that is not present. See:

# lib/gds-sso/api_access.rb
require 'rack/accept'

module GDS
  module SSO
    class ApiAccess
      def self.api_call?(env)
        request = Rack::Accept::Request.new(env)
        request.best_media_type(%w{text/html application/json}) == 'application/json'
      end
    end
  end
end

I'm proposing an alteration to this behaviour so requests are considered "API" in nature - based only upon the presence of a bearer token. This would permit clients to make "API" calls in the context of the current user without needing further forms of authentication.

It seems from my rudimentary search in existing GDS apps that this would not be a breaking change, but I thought I'd float the idea before going ahead. Thoughts?

cc: @boffbowsh

Hi,

I'm not sure about the following configuration, it looks like it loads the real strategy not the mock when use_mock_strategies is set to true:

Is this correct?