Rails 4.1.5 omniauth strong parameters

Question

After upgrading Rails 4.1.4 to 4.1.5 i get errors with my facebook omniauth session everything was working fine since then. When i create a User Session i get an ActiveModel::ForbiddenAttributesError

Route:

  match 'auth/:provider/callback', to: 'sessions#create', as: 'signin', via: :get

Session#create controller:

  def create
        user = User.from_omniauth(env["omniauth.auth"])
        session[:user_id] = user.id 
        session[:user_name] = user.name

      redirect_to root_path
  end

and a user model like this:

  def self.from_omniauth(auth)
    where(auth.slice(:provider, :uid)).first_or_create.tap do |user|
      user.provider ||= auth.provider 
      user.uid = auth.uid
      user.name = auth.info.name
      user.save
    end
  end

I can bypass the ActiveModel error by adding a permit! method in my User Model like that:

where(auth.slice(:provider, :uid).permit!).first_or_create.tap do |user|

But it override the first user from the database... The session[:user_id] seems to always be the first User from the database.

I don't know if it's a strong parameters problem, an Omniauth problem or both?

Answer 1

Replace you current finder:

def self.from_omniauth(auth)
  where(provider: auth.provider, uid: auth.uid).first_or_create do |user|
    user.provider = auth.provider 
    user.uid      = auth.uid
    user.name     = auth.info.name
    user.save
  end
end

Answer 2

I created a detailed writeup of what is happening here:

Rails 4.1.5 Security Fix Breaks Model.where(attributes)

Snippet:

YIKES! Rails 4.1.5 requires you to use safe params for any param to where that is_a? Hash For example, if you were doing a Model.where using slice to take some keys out of some object that derives from Hash, then your code will throw this error when you migrate from Rails 4.1.4 to Rails 4.1.5:

An ActiveModel::ForbiddenAttributesError occurred in omniauth_callbacks#facebook: ActiveModel::ForbiddenAttributesError