Anyone at @github's GHSA team care to look into this PR that got closed? I believe I've found an omniauth-saml advisory that simply references three other GHSA advisories that affect one of it's dependencies, ruby-saml. I see no evidence why a separate advisory needs to exist for omniauth-saml, when the security issues exist in ruby-saml, and can easily be upgraded independently of omniauth-saml (ex: gem upgrade ruby-saml / bundle update ruby-saml). This seems like a maintainer created yet another advisory simply to notify their users about other advisories affecting their dependencies, which seems like overkill and creates duplicate security advisory data. I think this GHSA advisory should be withdrawn/removed.
https://github.com/github/advisory-database/pull/5625
#omniauth
Merci @apps d’avoir intégré un contournement
https://codeberg.org/tom79/Fedilab/commit/1dbc5b7a89955213c9ba288dd77a757f0cb45858
#openID #SAML #omniauth #mastodon #bug #fedilab #contournement
Votre admin ne dispose pas d’ordiphone Google ou Apple mais uniquement un pinePhone sous Mobian, il est donc difficile de fournir une procédure de contournement testée et approuvée 😉
Il ne semble pas sûr que toutes les applications permettent l’utilisation du navigateur externe pour la phase d’authentification.
Un #bogue #mastodon rend l’utilisation d’applications ordiphones comme #tusky ou autre (utilisant #webView semble-t-il) quasiment ou totalement inutilisable lorsque le serveur est configuré avec une authentification #openID ou #SAML (#omniauth) :
https://github.com/mastodon/mastodon/issues/18481
Le seul contournement qui nous semblent « utilisable » :
1. forcer l’application à utiliser un navigateur externe
2. se connecter avec le navigateur externe
3. procéder à l’authentification via l’application
@pixelpaperyarn one reason I like #ruby is because it often has batteries included libraries; such as #devise or #omniauth.
That said there’s also some great gems for functional programming like #immutable and #contractsrb and #functionalruby