CSRF issues with Ueberauth GitHub on Phoenix

Darth-Knoppix · January 14, 2023, 9:43am

Hi

I’ve been trying (and failing) to setup Ueberauth to allow a user to authenticate with GitHub.

The problem

The issue I’m running into is CSRF, Ueberauth adds a state query param when making the request to GitHub and it stores this in a cookie. The user authenticates with GitHub and is sent back to the site where we check the state param matches the cookie.

As far as I can tell, Ueberauth correctly sets the state param and the cookie on request but when GitHub hits the callback URL, the state cookie is removed before checking a match. This leads to a CSRF error.

Versions

Ueberauth 0.10.3
Ueberauth GitHub 0.8.2
Phoenix 1.7.0-rc.1

Any ideas or working examples would be much appreciated. I’m going to try create a minimal example with a new project to see if there’s something specific about the project as so far, nothing has worked and I’ve resorted to stepping through Ueberauth source code to identify the problem.

Thanks for taking the time to read my question!

andreaseriksson · January 14, 2023, 10:49am

I had the same issue. Needed to specify version on

{:oauth2, "~> 2.0.1"},

It was 2.1 before. But I hope this will be fixed soon

Darth-Knoppix · January 15, 2023, 10:16am

Wow, this was not obvious. Thanks! Updating my mix.exs with the following works perfectly:

[
      {:oauth2, "~> 2.0.1"},
      {:ueberauth, "~> 0.10.3"},
      {:ueberauth_github, github: "ueberauth/ueberauth_github", tag: "v0.8.2"}
]