added gem omniauth-rails_csrf_protection + [ongoing] moving from GET /users/auth/... to POST

2025-01-17 06:52:27 +01:00 · 2019-10-01 17:14:16 +02:00 · 2019-10-01 17:14:16 +02:00 · 35b069a4db
commit 35b069a4db
parent 0ab2cbdea1
6 changed files with 15 additions and 5 deletions
--- a/1
+++ b/1
@ -73,6 +73,7 @@ gem 'devise', ">= 4.6.0"

 gem 'omniauth', '~> 1.6.0'
 gem 'omniauth-oauth2'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'

 gem 'rolify'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -265,6 +265,9 @@ GEM
    omniauth-oauth2 (1.3.1)
      oauth2 (~> 1.0)
      omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
    openlab_ruby (0.0.4)
      httparty (~> 0.13)
    orm_adapter (0.5.0)
@ -511,6 +514,7 @@ DEPENDENCIES
  oj
  omniauth (~> 1.6.0)
  omniauth-oauth2
+  omniauth-rails_csrf_protection (~> 0.1)
  openlab_ruby
  pdf-reader
  pg
--- a/app/assets/javascripts/controllers/application.js.erb
+++ b/app/assets/javascripts/controllers/application.js.erb
@ -351,6 +351,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
    var openLoginModal = function (toState, toParams, callback) {
      <% active_provider = AuthProvider.active %>
      <% if active_provider.providable_type != DatabaseProvider.name %>
+
      $window.location.href = '<%="/users/auth/#{active_provider.strategy_name}"%>';
      <% else %>
      return $uibModal.open({
--- a/app/assets/javascripts/router.js.erb
+++ b/app/assets/javascripts/router.js.erb
@ -38,7 +38,9 @@ angular.module('application.router', ['ui.router'])
          logoBlackFile: ['CustomAsset', function (CustomAsset) { return CustomAsset.get({ name: 'logo-black-file' }).$promise; }],
          commonTranslations: ['Translations', function (Translations) { return Translations.query(['app.public.common', 'app.shared.buttons', 'app.shared.elements']).$promise; }]
        },
-        onEnter: ['$rootScope', 'logoFile', 'logoBlackFile', function ($rootScope, logoFile, logoBlackFile) {
+        onEnter: ['$rootScope', 'logoFile', 'logoBlackFile', 'CSRF', function ($rootScope, logoFile, logoBlackFile, CSRF) {
+          // Retrieve Anti-CSRF tokens from cookies
+          CSRF.setMetaTags();
          // Application logo
          $rootScope.logo = logoFile.custom_asset;
          return $rootScope.logoBlack = logoBlackFile.custom_asset;
--- a/app/assets/templates/shared/header.html.erb
+++ b/app/assets/templates/shared/header.html.erb
@ -55,7 +55,9 @@
    <% else %>
        <li ng-if="!isAuthenticated()"><a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold label text-md"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
        <li ng-if="!isAuthenticated()">
-          <a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold  label text-md"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
+          <%= link_to(raw("<i class='fa fa-sign-in'></i> {{ 'sign_in' | translate }}"),
+                      "/users/auth/#{active_provider.strategy_name}",
+                      { method: :post, class: 'font-sbold label text-md' }) %>
        </li>
    <% end %>
  </ul>
--- a/app/views/users_mailer/notify_user_account_created.html.erb
+++ b/app/views/users_mailer/notify_user_account_created.html.erb
@ -38,9 +38,9 @@

  <p>
    <%= t('.body.thanks_to_') %>
-    <a href="<%= "#{root_url}/users/auth/#{active_provider.strategy_name}?auth_token=#{@user.auth_token}"%>" target="_blank">
-      <%= t('body.logon_or_login', PROVIDER: active_provider.name )%>
-    </a>
+    <%= link_to(t('.body.logon_or_login', PROVIDER: active_provider.name ),
+                "#{root_url}/users/auth/#{active_provider.strategy_name}?auth_token=#{@user.auth_token}",
+                { method: :post, target: '_blank' }) %>
  </p>

  <p><%= t('.body.token_if_link_problem') %></p>