Skip to content

Feature/oauth integration #1095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 18 commits into
base: main
Choose a base branch
from
Draft

Feature/oauth integration #1095

wants to merge 18 commits into from

Conversation

rsmithlal
Copy link
Member

Summary

Describe the change and the motivation.

Checklist

  • Tests added/updated and passing (bin/ci).
  • Lint and security checks (rubocop, brakeman, bundler-audit).
  • Documentation updated under docs/ describing new/changed functionality.
  • Mermaid diagrams (docs/*.mmd) updated to reflect changes.
  • Rendered PNGs regenerated with bin/render_diagrams and committed.
  • For DB changes, included any needed backfills/dedupes and noted risks.

Screenshots / Diagrams

If applicable, include screenshots or link to updated diagrams.

Notes

Anything reviewers should be aware of (migration order, flags, feature toggles).

rsmithlal added 17 commits August 24, 2025 16:31
@rsmithlal
WIP: test devise github oauth integration
7cf30fe
@rsmithlal
Reorder dependencies in Gemfile.lock to maintain consistency
b89a658
@rsmithlal
Update omniauth routes
9787161 
use BetterTogether controller
@rsmithlal
update github oauth action
7103abc
@rsmithlal
WIP: github oauth
7a31505
@rsmithlal
WIP: github oauth use correct user class reference
a601e1d
@rsmithlal
WIP: github oauth use correct user method to process auth env data
d4bb07b
@rsmithlal
Only show oauth login links if param oauth_login=true
5b94626 
Prevent visibility of the feature before it's ready
@rsmithlal
WIP: initial foundation to integrate GitHub API using Octokit gem
855c2fb
@rsmithlal
WIP: Initial scaffolding of PersonPlatformIntegrations
390dcfc 
Allows for linking OAuth authorizations to Person and Platform records
@rsmithlal
WIP: Flesh out PersonPlatformIntegration
d6f7f7e
@rsmithlal
Fix primary community description fallback logic
15ca1a1
@rsmithlal
WIP: attempt to correctly sign_in the user after oauth
23f9855
@rsmithlal
Add comprehensive tests for OAuth integration and user creation
6c800ce 
- Introduced new spec for Simple OAuth Flow in `oauth_simple_spec.rb` to validate user creation and integration handling.
- Enhanced `person_platform_integration_spec.rb` with tests for attributes extraction, token management, and integration updates.
- Created `devise_user_spec.rb` to test user creation from OAuth and attribute setting from auth hash.
- Added support helpers in `oauth_test_helpers.rb` for generating mock OAuth auth hashes for various providers.
- Implemented shared examples in `oauth_examples.rb` for consistent testing of OAuth authentication flows and token management.
@rsmithlal
Refactor GitHub authentication flow and update PersonPlatformIntegrat…
8973482 
…ion lookup
@rsmithlal
Configure OmniAuth for test mode and enhance OAuth test helpers
bf3fcf0
@rsmithlal
Merge branch 'main' into feature/oauth-integration
0b792f3 
Signed-off-by: Robert Smith <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 25, 2025
View reviewed changes
app/controllers/better_together/omniauth_callbacks_controller.rb
@@ -0,0 +1,59 @@
class BetterTogether::OmniauthCallbacksController < Devise::OmniauthCallbacksController
# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
skip_before_action :verify_authenticity_token, only: %i[github]

Check failure

Code scanning / CodeQL

CSRF protection weakened or disabled High

Potential CSRF vulnerability due to forgery protection being disabled or weakened.

Copilot Autofix

AI 27 days ago

To fix this issue, re-enable CSRF protection for the github callback by removing or altering the line that skips CSRF verification for it. The best, most minimal fix is to delete or comment out the skip_before_action :verify_authenticity_token, only: %i[github] line (line 3 in the given code). This restores Rails' default (and secure) behaviour: requests made to the github callback will require the authenticity token, mitigating CSRF risk. No additional code or imports are needed—just remove that single line.

Suggested changeset 1
app/controllers/better_together/omniauth_callbacks_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/better_together/omniauth_callbacks_controller.rb b/app/controllers/better_together/omniauth_callbacks_controller.rb
--- a/app/controllers/better_together/omniauth_callbacks_controller.rb
+++ b/app/controllers/better_together/omniauth_callbacks_controller.rb
@@ -1,6 +1,5 @@
 class BetterTogether::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   # See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
-  skip_before_action :verify_authenticity_token, only: %i[github]
 
   before_action :set_person_platform_integration, except: [:failure]
   before_action :set_user, except: [:failure]
EOF
@@ -1,6 +1,5 @@
class BetterTogether::OmniauthCallbacksController < Devise::OmniauthCallbacksController
# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
skip_before_action :verify_authenticity_token, only: %i[github]

before_action :set_person_platform_integration, except: [:failure]
before_action :set_user, except: [:failure]
Copilot is powered by AI and may make mistakes. Always verify output.
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 29, 2025
View reviewed changes
app/views/better_together/person_platform_integrations/show.html.erb
@@ -0,0 +1,10 @@
<p style="color: green"><%= notice %></p>

<%= render @person_platform_integration %>

Check notice

Code scanning / Brakeman

Render path contains parameter value. Note

Render path contains parameter value.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rsmithlal