Check CSRF, allow a Stripe account to be connected to more than one enterprise (but not vice versa)

2026-03-24 05:38:52 +00:00 · 2016-09-28 17:26:08 +01:00
parent 8ed983cf03
commit 7fd8c5956d
3 changed files with 33 additions and 15 deletions
--- a/app/controllers/admin/enterprises_controller.rb
+++ b/app/controllers/admin/enterprises_controller.rb
@@ -115,26 +115,31 @@ module Admin
    end

    def stripe_connect
-      redirect_to authorize_stripe(params[:enterprise_id]) # csrf: form_authenticity_token)
+      redirect_to authorize_stripe(params[:enterprise_id], csrf: form_authenticity_token)
    end

    def stripe_connect_callback
-      # Check CSRF?
      if params["code"]
-        # Get the deets from Stripe
-        response_params = get_stripe_token(params["code"]).params
-        # Get the Enterprise
        state = JSON.parse(params["state"].gsub("=>",":"))
-        @enterprise = Enterprise.find_by_permalink(state["enterprise_id"])
-
-        stripe_account = StripeAccount.new(stripe_user_id: response_params["stripe_user_id"], stripe_publishable_key: response_params["stripe_publishable_key"], enterprise: @enterprise)
-        if stripe_account.save
-          respond_to do |format|
-            format.html { redirect_to main_app.edit_admin_enterprise_path(@enterprise), notice: "Stripe account connected successfully."}
-            format.json { render json: stripe_account }
-          end
+        # Check csrf
+        if state["csrf"] != form_authenticity_token
+          redirect_to '/unauthorized'
        else
-          render text: "Failed to save Stripe token", status: 500
+          # Get the Enterprise
+          @enterprise = Enterprise.find_by_permalink(state["enterprise_id"])
+
+          # Get the deets from Stripe
+          response_params = get_stripe_token(params["code"]).params
+
+          stripe_account = StripeAccount.new(stripe_user_id: response_params["stripe_user_id"], stripe_publishable_key: response_params["stripe_publishable_key"], enterprise: @enterprise)
+          if stripe_account.save
+            respond_to do |format|
+              format.html { redirect_to main_app.edit_admin_enterprise_path(@enterprise), notice: "Stripe account connected successfully."}
+              format.json { render json: stripe_account }
+            end
+          else
+            render text: "Failed to save Stripe token", status: 500
+          end
        end
      else
        render text: params["error_description"], status: 500
--- a/app/models/stripe_account.rb
+++ b/app/models/stripe_account.rb
@@ -1,5 +1,5 @@
 class StripeAccount < ActiveRecord::Base
  belongs_to :enterprise
  validates_presence_of :stripe_user_id, :stripe_publishable_key
-  validates_uniqueness_of :stripe_user_id, :enterprise_id
+  validates_uniqueness_of :enterprise_id
 end
--- a/spec/features/admin/stripe_connect_spec.rb
+++ b/spec/features/admin/stripe_connect_spec.rb
@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+feature "Connecting a Stripe Account" do
+  include AuthenticationWorkflow
+  include WebHelper
+  before(:each) { login_to_admin_section }
+  let!(:enterprise) { create :enterprise }
+
+  scenario "Passing an invalid CSRF token" do
+    visit "/stripe/callback?state=%7B%22csrf%22%3D%3E%22ByQF3~~~nonsense~~~4hwwmhAek4u4AEo0%3D%22%2C+%22enterprise_id%22%3D%3E%22#{enterprise.permalink}%22%7D&scope=read_only&code=ac_9HJF2pynjz5vlRWGXtpnGvL3yT9y01DY"
+    page.should have_content "Unauthorized" 
+  end
+end