How to resolve "csrf_attack" failure when testing a Ueberauth controller?

@alchemist_ubi Firstly, shout out to you and the other maintainers for Ueberauth! Implementing Google OAuth was quite easy thanks to this package.

I’m attempting to write tests for the callback in a Phoenix application, and I can’t get past a Ueberauth.Failure.Error. I have been digging through docs for Ueberauth, Plug.Conn, and Phoenix.Controller, and I didn’t see any tests in ueberauth_example.

When the server is running, I can successfully authenticate with Google, so I’m just blocked on the test. My conn/controller chops are a little rusty since I’m usually writing LiveView code, so I wouldn’t be surprised if there’s a non-Ueberauth-specific solution here. I tried manually setting _csrf_token in the conn session before calling get/2, but that didn’t work.

How does one put a CSRF token on a conn during testing?


Test code

defmodule MyAppWeb.AuthenticationTest do
  @moduledoc false
  alias MyApp.AuthenticationFixtures
  alias MyApp.Identity.User
  alias MyApp.IdentityFixtures
  use MyAppWeb.ConnCase, async: true
  use Plug.Test

  describe "callback/2" do
    test "starts session for valid user", %{conn: conn} do
      %User{email: email} = IdentityFixtures.user_fixture()
      auth = AuthenticationFixtures.auth_attrs(email: email)
      conn = get(conn, ~p"/auth/google/callback", ueberauth_auth: auth)
      assert redirected_to(conn, 302) == ~p"/"
    end
  end
end

Error

%Ueberauth.Failure{
  provider: :google,
  strategy: Ueberauth.Strategy.Google,
  errors: [
    %Ueberauth.Failure.Error{
      message_key: "csrf_attack",
      message: "Cross-Site Request Forgery attack"
    }
  ]
}
1 Like

Hey, sorry for the delay, I was on vacation until now,

Based on ueberauth/lib/ueberauth/strategy.ex at ede44472dd1a331c12f089d47da96067523457d1 · ueberauth/ueberauth · GitHub

Adding a cookie called uerberauth.state_param ueberauth/lib/ueberauth/strategy.ex at ede44472dd1a331c12f089d47da96067523457d1 · ueberauth/ueberauth · GitHub would work

Adding that cookie as part of the request again so that the following check passes ueberauth/lib/ueberauth/strategy.ex at ede44472dd1a331c12f089d47da96067523457d1 · ueberauth/ueberauth · GitHub

2 Likes

No worries! Hope you had a good time.

Thank you for the links and suggestions. I will try that when I’m back to work next week. :pray:

I’m still not quite following. Adding the state cookie and param resolves the previous csrf_attack error, but then I receive a missing_code error. When I add a code param, I get an invalid_grant error, so I suspect the code can’t just be a random hash. The more I look for answers, the more confused I get.

Skill issue? Certainly, though I imagine it’s a common skill issue.


On a more meta note, I’m having to dig a bit deeper than I’d like into the Ueberauth internals to wire up a test, and wishing there was more tooling available from the package. It’s possible this would be more obvious with more familiarity with OAuth ceremonies. If I understood how to tackle it, I’d be happy to open one or more PRs to add Ueberauth test tooling and test(s) in ueberauth_example. Would an issue or set of issues be useful, or is this thread sufficient?

Honestly, by now, I wish to redo Ueberauth; you are not the only one with a skill issue :face_holding_back_tears: I need to dig more into it, I also remember that I did not decide to make the state generator be able to be deterministic (meaning swap the implementation in testing) to keep thing simple; I guess it is the time to add such thing.

I need to find the time to help you on this one, and probably, help the entire ueberauth ecosystem

2 Likes

It’s a super valuable package with over 6 million all-time downloads, so you’ve done great work here already. :beers: Like I said before, adding the Google OAuth integration was much easier than I expected.

I’m happy to carve out some time to help, even if it’s just documenting things. Let me know if you have some ideas.

I think it will be valuable if you at least make a higher-level GitHub issue outlining what you might need help with. That way people can actually contribute meaningfully and in line with your vision.

:+1: I opened #204 on ueberauth.

2 Likes