From 35b069a4dbfa5f74db7af887d51473087fd94c52 Mon Sep 17 00:00:00 2001
From: Sylvain <bond.never.die@gmail.com>
Date: Tue, 1 Oct 2019 17:14:16 +0200
Subject: [PATCH] added gem omniauth-rails_csrf_protection + [ongoing] moving
 from GET /users/auth/... to POST

---
 Gemfile                                                     | 1 +
 Gemfile.lock                                                | 4 ++++
 app/assets/javascripts/controllers/application.js.erb       | 1 +
 app/assets/javascripts/router.js.erb                        | 4 +++-
 app/assets/templates/shared/header.html.erb                 | 4 +++-
 app/views/users_mailer/notify_user_account_created.html.erb | 6 +++---
 6 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/Gemfile b/Gemfile
index 697e34052..1d55613ef 100644
--- a/Gemfile
+++ b/Gemfile
@@ -73,6 +73,7 @@ gem 'devise', ">= 4.6.0"
 
 gem 'omniauth', '~> 1.6.0'
 gem 'omniauth-oauth2'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 
 gem 'rolify'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 10cddb765..13f3c98ac 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -265,6 +265,9 @@ GEM
     omniauth-oauth2 (1.3.1)
       oauth2 (~> 1.0)
       omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     openlab_ruby (0.0.4)
       httparty (~> 0.13)
     orm_adapter (0.5.0)
@@ -511,6 +514,7 @@ DEPENDENCIES
   oj
   omniauth (~> 1.6.0)
   omniauth-oauth2
+  omniauth-rails_csrf_protection (~> 0.1)
   openlab_ruby
   pdf-reader
   pg
diff --git a/app/assets/javascripts/controllers/application.js.erb b/app/assets/javascripts/controllers/application.js.erb
index c3bcadf2c..3bc0b452c 100644
--- a/app/assets/javascripts/controllers/application.js.erb
+++ b/app/assets/javascripts/controllers/application.js.erb
@@ -351,6 +351,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
     var openLoginModal = function (toState, toParams, callback) {
       <% active_provider = AuthProvider.active %>
       <% if active_provider.providable_type != DatabaseProvider.name %>
+
       $window.location.href = '<%="/users/auth/#{active_provider.strategy_name}"%>';
       <% else %>
       return $uibModal.open({
diff --git a/app/assets/javascripts/router.js.erb b/app/assets/javascripts/router.js.erb
index d9f8b1c7d..cfd27e274 100644
--- a/app/assets/javascripts/router.js.erb
+++ b/app/assets/javascripts/router.js.erb
@@ -38,7 +38,9 @@ angular.module('application.router', ['ui.router'])
           logoBlackFile: ['CustomAsset', function (CustomAsset) { return CustomAsset.get({ name: 'logo-black-file' }).$promise; }],
           commonTranslations: ['Translations', function (Translations) { return Translations.query(['app.public.common', 'app.shared.buttons', 'app.shared.elements']).$promise; }]
         },
-        onEnter: ['$rootScope', 'logoFile', 'logoBlackFile', function ($rootScope, logoFile, logoBlackFile) {
+        onEnter: ['$rootScope', 'logoFile', 'logoBlackFile', 'CSRF', function ($rootScope, logoFile, logoBlackFile, CSRF) {
+          // Retrieve Anti-CSRF tokens from cookies
+          CSRF.setMetaTags();
           // Application logo
           $rootScope.logo = logoFile.custom_asset;
           return $rootScope.logoBlack = logoBlackFile.custom_asset;
diff --git a/app/assets/templates/shared/header.html.erb b/app/assets/templates/shared/header.html.erb
index dbbd72be6..1c1b23575 100644
--- a/app/assets/templates/shared/header.html.erb
+++ b/app/assets/templates/shared/header.html.erb
@@ -55,7 +55,9 @@
     <% else %>
         <li ng-if="!isAuthenticated()"><a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold label text-md"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
         <li ng-if="!isAuthenticated()">
-          <a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold  label text-md"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
+          <%= link_to(raw("<i class='fa fa-sign-in'></i> {{ 'sign_in' | translate }}"),
+                      "/users/auth/#{active_provider.strategy_name}",
+                      { method: :post, class: 'font-sbold label text-md' }) %>
         </li>
     <% end %>
   </ul>
diff --git a/app/views/users_mailer/notify_user_account_created.html.erb b/app/views/users_mailer/notify_user_account_created.html.erb
index 1c3bfac6e..ed86379d1 100644
--- a/app/views/users_mailer/notify_user_account_created.html.erb
+++ b/app/views/users_mailer/notify_user_account_created.html.erb
@@ -38,9 +38,9 @@
 
   <p>
     <%= t('.body.thanks_to_') %>
-    <a href="<%= "#{root_url}/users/auth/#{active_provider.strategy_name}?auth_token=#{@user.auth_token}"%>" target="_blank">
-      <%= t('body.logon_or_login', PROVIDER: active_provider.name )%>
-    </a>
+    <%= link_to(t('.body.logon_or_login', PROVIDER: active_provider.name ),
+                "#{root_url}/users/auth/#{active_provider.strategy_name}?auth_token=#{@user.auth_token}",
+                { method: :post, target: '_blank' }) %>
   </p>
 
   <p><%= t('.body.token_if_link_problem') %></p>