CORS issues with google's OAuth | Devise conflict issue?

[FelipeBodelon]

As a bit of context, I'm hooking up a React CSR frontend to an already existing Rails app.
The endgame of this app is to behave as an API only rails server, but migration has to be gradual.

Right now Devise is installed and I'm afraid it could be conflicting with rodauth, specially with the omniauth integration.
My main issue is getting the following CORS error on the callback request:

E, [2024-02-13T18:23:29.846355 #33633] ERROR -- omniauth: (google) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

It only works properly when setting provider_ignores_state: true on the provider.
I'm pretty sure I've set my origins correctly, included my domain in session store and deleted cookies before trying.

I've pretty much tried a lot of what has been discussed on this omniauth issue, might this be a conflict issue with Devise? Right now it is not configured to use omniauth.

[janko]

It doesn't seem like a Devise issue, but Devise does add Warden into the middleware stack, possibly in front of the Rodauth middleware, and maybe that's messing with the OmniAuth integration. The easiest way is to try temporarily removing Devise and seeing if the OmniAuth flow works.

I suspect there is something that's resetting the session in between request and callback OmniAuth phases. The request phase for OAuth2-based strategies sets "state" in the session and authorize params, which will then get included in the callback URL the strategy redirects to, and the callback phase checks whether the session value corresponds to the value in query string. If they mismatch, this error is raised.

[FelipeBodelon]

Uninstalled Devise and took out everything session related I found and the issue persists. Haven't tried in production yet. I can share the related config if that helps.

Is there a way I could better inspect/log/debug this process? Right now from the client (frontend, localhost:3001) I'm fetching the Google auth URL to '/auth/oauth/google' (prefix: '/auth' and omniauth_prefix: '/oauth'), which successfully returns an URL with params included for authentication. I continue the google flow and when it's time for the callback it fails. At the callback point it redirects back to my frontend to 'http://localhost:3001/auth/google/redirect?state=***....'. I append all those parameters to a callback on the backend '/auth/oauth/google/callback'. Should I include all parameters or only code and state? At this point it fails on the backend, and I can't figure out why.

This is my config:

# rodauth_main.rb

configure do
    # List of authentication features that are loaded.
    enable :create_account, :verify_account, :verify_account_grace_period,
      :login, :logout, :remember, :json,
      :reset_password, :change_password, :change_password_notify,
      :change_login, :verify_login_change, :close_account,  :active_sessions, :omniauth

    omniauth_provider :google_oauth2,
      ENV["GOOGLE_CLIENT_ID"],
      ENV["GOOGLE_CLIENT_SECRET"],
      name: :google,
      authorize_params: { redirect_uri: ENV["FRONTEND_APP_URL"] + "/auth/google/redirect" }, token_params: { redirect_uri: ENV["FRONTEND_APP_URL"] + "/auth/google/redirect" },
      provider_ignores_state: Rails.env.development? # trying to fix this

    ...

    # Use path prefix for all routes.
    prefix "/auth"
    omniauth_prefix "/oauth"

    # Specify the controller used for view rendering, CSRF, and callbacks.
    rails_controller { RodauthController }

    ...

    after_omniauth_create_account do
      p omniauth_info
    end
end

This are my requests from the frontend app:

type EmptyObject = Record<string, never>;
async function getGoogleAuthUrl() {
  const response = await apiClient.post<EmptyObject, { data: { authorizeUrl: string } }>(
    'auth/oauth/google',
    {},
    { withCredentials: true },
  );
  return response.data;
}

async function authWithGoogleCallback(params: URLSearchParams) {
  return await apiClient.get('auth/oauth/google/callback', {
    params,
    data: {},
    withCredentials: true,
  });
}

My rack CORS settings:

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    if Rails.env.development? || Rails.env.test?
      origins 'http://localhost:3000', 'http://localhost:3001'
    else
      # Top level domain will be shared for the backend and frontend
      origins 'https://app.my-domain.com', 'https://my-domain.com'
    end
    resource '*', headers: :any, methods: [:get, :post, :patch, :put, :delete],
    credentials: true
  end
end

Session store settings:

if Rails.env.development?
  Rails.application.config.session_store :cookie_store, key: '_mydomain_session', domain: "localhost", same_site: :strict
else
  Rails.application.config.session_store :cookie_store, key: '_mydomain_session', domain: "my-domain.com", same_site: :strict
end

[janko]

I would recommend tracking session and verifying whether the omniauth.state session value set by omniauth-oauth2 really does get reset in between request and callback phases. You could check the session in a before_omniauth_callback_route hook:

before_omniauth_callback_route do
  p session["omniauth.state"] # should not be nil
  p request.params["state"] # should match session value
end

If you find that session["omniauth.state"] is nil (meaning the whole session is probably empty), then something is resetting the session. You could insert a middleware before rack-cors, which checks the session data before each request:

class PrintSession
  def initialize(app)
    @app = app
  end

  def call(env)
    p env["rack.session"].to_hash

    @app.call(env)
  end
end

Rails.application.config.middleware.insert_before 0, PrintSession

If it contains omniauth.state before the callback request, then somewhere between the start of the request and Rodauth handling the session is being cleared, and you need to figure out where. If it's not there, then the session cookie probably wasn't even being sent to the server in the first place.

[FelipeBodelon]

Issues were related to default csrf checks in place as default for my Rails app. I believe this issues aren't present on Rails in API mode. Setting check_csrf? false solved my issues, hoping a proper CORS config with rack-cors should properly limit access to resources.