https://github.com/cookpad/omniauth-rails_csrf_protection
Provides CSRF protection on OmniAuth request endpoint on Rails application.
https://github.com/cookpad/omniauth-rails_csrf_protection
Keywords from Contributors
rubygems activejob activerecord mvc
Last synced: about 22 hours ago
JSON representation
Repository metadata
Provides CSRF protection on OmniAuth request endpoint on Rails application.
- Host: GitHub
- URL: https://github.com/cookpad/omniauth-rails_csrf_protection
- Owner: cookpad
- License: mit
- Created: 2019-05-30T05:50:40.000Z (almost 7 years ago)
- Default Branch: main
- Last Pushed: 2025-12-10T19:13:36.000Z (3 months ago)
- Last Synced: 2026-02-26T17:11:26.764Z (5 days ago)
- Language: Ruby
- Homepage:
- Size: 46.9 KB
- Stars: 258
- Watchers: 16
- Forks: 43
- Open Issues: 3
- Releases: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
- Code of conduct: CODE_OF_CONDUCT.md
README.md
OmniAuth - Rails CSRF Protection
This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request
Forgery on the request phase when using OmniAuth gem with a Ruby on Rails
application) by implementing a CSRF token verifier that directly uses
ActionController::RequestForgeryProtection code from Rails.
[!NOTE]
OmniAuth has provided a built-in solution to mitigate against
CVE-2015-9284 since version 2.0.0.
You should be able to mitigate against this vulnerability
by adding this configuration to your application:OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(key: :_csrf_token)This gem will continued to be maintained as an alternative to the solution above.
Usage
Add this line to your application's Gemfile:
gem "omniauth-rails_csrf_protection"
Then run bundle install to install this gem.
You will then need to verify that all links in your application that would
initiate OAuth request phase are being converted to a HTTP POST form that
contains authenticity_token value. This might simply be done by changing all
link_to to button_to, or use link_to ..., method: :post.
Under the Hood
This gem does a few things to your application:
- Disable access to the OAuth request phase using HTTP GET method.
- Insert a Rails CSRF token verifier at the before request phase.
These actions mitigate you from the attack vector described in CVE-2015-9284.
Contributing
Bug reports and pull requests are welcome on GitHub. This project is
intended to be a safe, welcoming space for collaboration, and contributors are
expected to adhere to the
Contributor Covenant code of conduct.
License
The gem is available as open source under the terms of the
MIT License.
Code of Conduct
Everyone interacting in the this project’s codebases, issue trackers, chat
rooms and mailing lists is expected to follow the
code of conduct.
Owner metadata
- Name: Cookpad
- Login: cookpad
- Email:
- Kind: organization
- Description:
- Website: https://info.cookpad.com
- Location: Tokyo, Japan | Bristol, UK
- Twitter:
- Company:
- Icon url: https://avatars.githubusercontent.com/u/119195?v=4
- Repositories: 193
- Last ynced at: 2023-04-09T03:40:21.409Z
- Profile URL: https://github.com/cookpad
GitHub Events
Total
- Delete event: 6
- Pull request event: 2
- Fork event: 2
- Issues event: 2
- Watch event: 22
- Issue comment event: 17
- Push event: 12
- Pull request review event: 1
- Pull request review comment event: 2
- Create event: 3
Last Year
- Delete event: 6
- Pull request event: 1
- Fork event: 1
- Issues event: 2
- Watch event: 9
- Issue comment event: 16
- Push event: 12
- Pull request review event: 1
- Pull request review comment event: 2
- Create event: 3
Committers metadata
Last synced: 2 days ago
Total Commits: 44
Total Committers: 10
Avg Commits per committer: 4.4
Development Distribution Score (DDS): 0.25
Commits in past year: 10
Committers in past year: 1
Avg Commits per committer in past year: 10.0
Development Distribution Score (DDS) in past year: 0.0
| Name | Commits | |
|---|---|---|
| Prem Sichanugrist | s@s****u | 33 |
| nick evans | n****k@r****v | 2 |
| Abraham Raji | w****k@a****n | 2 |
| Sunny Ripert | s****y@s****g | 1 |
| Paul McCarthy | p****s@g****m | 1 |
| Nick Muerdter | 1****I | 1 |
| Matthew Kobs | m****s@c****g | 1 |
| Bobby McDonald | b****o@g****m | 1 |
| Akshay Birajdar | a****5@g****m | 1 |
| Prem Sichanugrist | p****m@c****m | 1 |
Committer domains:
- cookpad.com: 1
- cph.org: 1
- sunfox.org: 1
- abrahamr.in: 1
- rubinick.dev: 1
- sikac.hu: 1
Issue and Pull Request metadata
Last synced: 5 days ago
Total issues: 14
Total pull requests: 17
Average time to close issues: 8 months
Average time to close pull requests: about 1 month
Total issue authors: 14
Total pull request authors: 12
Average comments per issue: 5.93
Average comments per pull request: 2.24
Merged pull request: 10
Bot issues: 0
Bot pull requests: 0
Past year issues: 5
Past year pull requests: 3
Past year average time to close issues: 12 days
Past year average time to close pull requests: 18 days
Past year issue authors: 5
Past year pull request authors: 3
Past year average comments per issue: 4.0
Past year average comments per pull request: 7.33
Past year merged pull request: 0
Past year bot issues: 0
Past year bot pull requests: 0
Top Issue Authors
- SpamapS (1)
- penguoir (1)
- freesteph (1)
- thomaswitt (1)
- cpinto (1)
- fabioxgn (1)
- blrobin2 (1)
- jjf21 (1)
- alexventuraio (1)
- ybakos (1)
- viktor-shmigol (1)
- sshaw (1)
- john-fitzpatrick-elocal (1)
- buncis (1)
Top Pull Request Authors
- nevans (6)
- scootklein (1)
- mccarths (1)
- gilesdotcodes (1)
- frenkel (1)
- kobsy (1)
- abrahamparayil (1)
- BobbyMcWho (1)
- the-spectator (1)
- ilianah (1)
- GUI (1)
- sunny (1)
Top Issue Labels
Top Pull Request Labels
Package metadata
- Total packages: 7
-
Total downloads:
- rubygems: 123,580,043 total
- Total docker downloads: 264,143,130
- Total dependent packages: 29 (may contain duplicates)
- Total dependent repositories: 4,087 (may contain duplicates)
- Total versions: 21
- Total maintainers: 2
gem.coop: omniauth-rails_csrf_protection
This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails application) by implementing a CSRF token verifier that directly utilize `ActionController::RequestForgeryProtection` code from Rails.
- Homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
- Documentation: http://www.rubydoc.info/gems/omniauth-rails_csrf_protection/
- Licenses: MIT
- Latest release: 2.0.1 (published 3 months ago)
- Last Synced: 2026-03-01T08:31:48.739Z (2 days ago)
- Versions: 8
- Dependent Packages: 0
- Dependent Repositories: 0
- Downloads: 61,775,573 Total
- Docker Downloads: 132,071,565
-
Rankings:
- Dependent repos count: 0.0%
- Dependent packages count: 0.0%
- Average: 0.241%
- Downloads: 0.466%
- Docker downloads count: 0.5%
- Maintainers (2)
rubygems.org: omniauth-rails_csrf_protection
This gem provides a mitigation against CVE-2015-9284 (Cross-Site Request Forgery on the request phrase when using OmniAuth gem with a Ruby on Rails application) by implementing a CSRF token verifier that directly utilize `ActionController::RequestForgeryProtection` code from Rails.
- Homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
- Documentation: http://www.rubydoc.info/gems/omniauth-rails_csrf_protection/
- Licenses: MIT
- Latest release: 2.0.1 (published 3 months ago)
- Last Synced: 2026-03-02T04:33:04.769Z (1 day ago)
- Versions: 8
- Dependent Packages: 29
- Dependent Repositories: 4,087
- Downloads: 61,804,470 Total
- Docker Downloads: 132,071,565
-
Rankings:
- Dependent repos count: 0.494%
- Downloads: 0.553%
- Docker downloads count: 0.6%
- Dependent packages count: 0.896%
- Average: 1.826%
- Stargazers count: 3.956%
- Forks count: 4.46%
- Maintainers (2)
ubuntu-23.10: ruby-omniauth-rails-csrf-protection
- Homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
- Licenses:
- Latest release: 1.0.1-2 (published 18 days ago)
- Last Synced: 2026-02-13T18:28:07.550Z (18 days ago)
- Versions: 1
- Dependent Packages: 0
- Dependent Repositories: 0
-
Rankings:
- Dependent repos count: 0.0%
- Dependent packages count: 0.0%
- Average: 100%
ubuntu-23.04: ruby-omniauth-rails-csrf-protection
- Homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
- Licenses:
- Latest release: 1.0.1-2 (published 20 days ago)
- Last Synced: 2026-02-11T06:45:46.636Z (20 days ago)
- Versions: 1
- Dependent Packages: 0
- Dependent Repositories: 0
-
Rankings:
- Dependent repos count: 0.0%
- Dependent packages count: 0.0%
- Average: 100%
debian-12: ruby-omniauth-rails-csrf-protection
- Homepage: https://github.com/cookpad/omniauth-rails_csrf_protection
- Documentation: https://packages.debian.org/bookworm/ruby-omniauth-rails-csrf-protection
- Licenses:
- Latest release: 1.0.1-2 (published 18 days ago)
- Last Synced: 2026-02-12T23:36:56.161Z (18 days ago)
- Versions: 1
- Dependent Packages: 0
- Dependent Repositories: 0
-
Rankings:
Dependencies
- bundler >= 0 development
- minitest >= 0 development
- rails >= 0 development
- rake >= 0 development
- actionpack >= 4.2
- omniauth ~> 2.0
- actions/checkout v4 composite
- ruby/setup-ruby v1 composite
Score: 27.64291872583035