Omniauth: v2.0.2 Release

Release date:
February 2, 2021
Previous version:
v2.0.1 (released January 16, 2021)
Magnitude:
37 Diff Delta
Contributors:
2 total committers
Data confidence:
Commits:

Top Contributors in v2.0.2

jim-dalton-50d3
BobbyMcWho

Directory Browser for v2.0.2

We haven't yet finished calculating and confirming the files and directories changed in this release. Please check back soon.

Release Notes Published

@jsdalton gave an awesome report of the issue present in test_mode in #1033

The current implementation of mock_call was verifying the token for all requests, regardless of whether the current path is on the omniauth request path. The change was introduced recently in 1b784ff. See #1032 for details.

This creates two problems:

  1. When test mode is on, the authenticity verification logic is run inappropriately against requests where this may not even be wanted.
  2. The behavior varies from actual production behavior, potentially allowing bugs to be introduced by unwary developers.

Note that this bug was only present when OmniAuth was configured for test_mode and using the mock_call phases.