Merge branch 'cve-2015-9284' into dev

CHANGELOG.md

@@ -4,6 +4,7 @@
 - Ability to configure and export the accounting data to the ACD accounting software
 - Compute the VAT per item in each invoices, instead of globally
 - Use Alpine Linux to build the Docker image (#147)
+- Updated omniauth & omniauth-oauth2 gems
 - Ability to set project's CAO attachement maximum upload size
 - Ability to bulk-import members from a CSV file
 - Ability to disable invoices generation and interfaces
@@ -12,6 +13,7 @@
 - Fix a bug: in case of unexpected server error during stripe payment process, the confirm button is not unlocked
 - Fix a bug: create a plan does not set its name
 - Fix a bug: unable to dissociate the last machine from a formation
+- Fix a security issue: fixed [CVE-2015-9284](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284)
 - [TODO DEPLOY] `rake db:migrate`
 - [TODO DEPLOY] -> (only dev) `yarn install` and `bundle install`
 - [TODO DEPLOY] add the `RECAPTCHA_SITE_KEY` and `RECAPTCHA_SECRET_KEY` environment variables (see [doc/environment.md](doc/environment.md) for configuration details)

Gemfile

@@ -69,10 +69,11 @@ gem 'seed_dump'
 
 gem 'pg'
 
-gem 'devise', ">= 4.6.0"
+gem 'devise', '>= 4.6.0'
 
-gem 'omniauth', '~> 1.6.0'
+gem 'omniauth', '~> 1.9.0'
 gem 'omniauth-oauth2'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 
 gem 'rolify'
 
@@ -98,8 +99,8 @@ gem 'friendly_id', '~> 5.1.0'
 gem 'aasm'
 
 # Background job processing
-gem 'sidekiq', '>= 3.4.2'
 gem 'redis-namespace'
+gem 'sidekiq', '>= 3.4.2'
 gem 'sinatra', require: false
 # Recurring jobs for Sidekiq
 gem 'sidekiq-cron'
@@ -149,3 +150,5 @@ gem 'rack-protection', '1.5.5'
 gem 'sys-filesystem'
 
 gem 'sha3'
+
+gem 'repost'

Gemfile.lock

@@ -159,7 +159,7 @@ GEM
     execjs (2.7.0)
     faker (1.4.3)
       i18n (~> 0.5)
-    faraday (0.9.2)
+    faraday (0.16.2)
       multipart-post (>= 1.2, < 3)
     ffi (1.9.24)
     figaro (1.1.0)
@@ -180,7 +180,7 @@ GEM
       activerecord (>= 3.0)
     hashdiff (0.3.0)
     hashery (2.1.2)
-    hashie (3.5.7)
+    hashie (3.6.0)
     hike (1.2.3)
     htmlentities (4.3.4)
     http (3.0.0)
@@ -209,7 +209,7 @@ GEM
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     json (1.8.6)
-    jwt (1.5.1)
+    jwt (2.2.1)
     kaminari (0.16.3)
       actionpack (>= 3.0.0)
       activesupport (>= 3.0.0)
@@ -243,8 +243,8 @@ GEM
       minitest (>= 5.0)
       ruby-progressbar
     multi_json (1.13.1)
-    multi_xml (0.5.5)
-    multipart-post (2.0.0)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
     naught (1.1.0)
     nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
@@ -252,19 +252,22 @@ GEM
       jbuilder (~> 2.0)
       rails (>= 4.2.0)
       responders (~> 2.0)
-    oauth2 (1.0.0)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 1.0)
+    oauth2 (1.4.2)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
-      rack (~> 1.2)
+      rack (>= 1.2, < 3)
     oj (2.12.8)
-    omniauth (1.6.1)
-      hashie (>= 3.4.6, < 3.6.0)
+    omniauth (1.9.0)
+      hashie (>= 3.4.6, < 3.7.0)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.3.1)
-      oauth2 (~> 1.0)
-      omniauth (~> 1.2)
+    omniauth-oauth2 (1.6.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     openlab_ruby (0.0.4)
       httparty (~> 0.13)
     orm_adapter (0.5.0)
@@ -342,6 +345,7 @@ GEM
     redis-namespace (1.6.0)
       redis (>= 3.0.4)
     ref (2.0.0)
+    repost (0.2.9)
     responders (2.1.0)
       railties (>= 4.2.0, < 5)
     rolify (4.0.0)
@@ -509,8 +513,9 @@ DEPENDENCIES
   minitest-reporters
   notify_with
   oj
-  omniauth (~> 1.6.0)
+  omniauth (~> 1.9.0)
   omniauth-oauth2
+  omniauth-rails_csrf_protection (~> 0.1)
   openlab_ruby
   pdf-reader
   pg
@@ -527,6 +532,7 @@ DEPENDENCIES
   rb-readline
   recurrence
   redis-namespace
+  repost
   responders (~> 2.0)
   rolify
   rubocop (~> 0.61.1)

app/assets/javascripts/controllers/application.js.erb

@@ -82,6 +82,10 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
      */
     $scope.signup = function (e) {
       if (e) { e.preventDefault(); }
+      <% active_provider = AuthProvider.active %>
+      <% if active_provider.providable_type != DatabaseProvider.name %>
+      $window.location.href = '/sso-redirect';
+      <% else %>
 
       return $uibModal.open({
         templateUrl: '<%= asset_path "shared/signupModal.html" %>',
@@ -167,6 +171,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
         // when the account was created successfully, set the session to the newly created account
         $scope.setCurrentUser(user);
       });
+      <% end %>
     };
 
     /**
@@ -351,7 +356,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
     var openLoginModal = function (toState, toParams, callback) {
       <% active_provider = AuthProvider.active %>
       <% if active_provider.providable_type != DatabaseProvider.name %>
-      $window.location.href = '<%="/users/auth/#{active_provider.strategy_name}"%>';
+      $window.location.href = '/sso-redirect';
       <% else %>
       return $uibModal.open({
         templateUrl: '<%= asset_path "shared/deviseModal.html" %>',

app/assets/javascripts/router.js.erb

@@ -38,7 +38,9 @@ angular.module('application.router', ['ui.router'])
           logoBlackFile: ['CustomAsset', function (CustomAsset) { return CustomAsset.get({ name: 'logo-black-file' }).$promise; }],
           commonTranslations: ['Translations', function (Translations) { return Translations.query(['app.public.common', 'app.shared.buttons', 'app.shared.elements']).$promise; }]
         },
-        onEnter: ['$rootScope', 'logoFile', 'logoBlackFile', function ($rootScope, logoFile, logoBlackFile) {
+        onEnter: ['$rootScope', 'logoFile', 'logoBlackFile', 'CSRF', function ($rootScope, logoFile, logoBlackFile, CSRF) {
+          // Retrieve Anti-CSRF tokens from cookies
+          CSRF.setMetaTags();
           // Application logo
           $rootScope.logo = logoFile.custom_asset;
           return $rootScope.logoBlack = logoBlackFile.custom_asset;

app/assets/javascripts/services/auth.js.erb

@@ -1,6 +1,6 @@
 'use strict';
 
-Application.Services.factory('AuthService', ['Session', function (Session) {
+Application.Services.factory('AuthService', ['Session', 'CSRF', function (Session, CSRF) {
   return {
     isAuthenticated () {
       return (Session.currentUser != null) && (Session.currentUser.id != null);

app/assets/templates/shared/header.html.erb

@@ -46,16 +46,8 @@
         <li><a href="#" class="text-black" ng-click="logout($event)"><i class="fa fa-power-off"></i> {{ 'sign_out' | translate }}</a></li>
       </ul>
     </li>
-    <% active_provider = AuthProvider.active %>
-    <% if active_provider.providable_type == DatabaseProvider.name %>
-      <li ng-if="!isAuthenticated()"><a href="#" class="font-sbold label text-md" ng-click="signup($event)"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
-      <li ng-if="!isAuthenticated()">
-          <a href="#" class="font-sbold  label text-md" ng-click="login($event)"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
-      </li>
-    <% else %>
-        <li ng-if="!isAuthenticated()"><a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold label text-md"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
-        <li ng-if="!isAuthenticated()">
-          <a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold  label text-md"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
-        </li>
-    <% end %>
+    <li ng-if="!isAuthenticated()"><a href="#" class="font-sbold label text-md" ng-click="signup($event)"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
+    <li ng-if="!isAuthenticated()">
+        <a href="#" class="font-sbold  label text-md" ng-click="login($event)"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
+    </li>
   </ul>

app/controllers/application_controller.rb

@@ -19,6 +19,12 @@ class ApplicationController < ActionController::Base
 
   def index; end
 
+  def sso_redirect
+    @authorization_token = request.query_parameters[:auth_token]
+    @authentication_token = form_authenticity_token
+    @active_provider = AuthProvider.active
+  end
+
   protected
 
   def set_csrf_cookie

app/controllers/rss/events_controller.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
+# RSS feed about 10 last events
 class Rss::EventsController < Rss::RssController
 
   def index
     @events = Event.includes(:event_image, :event_files, :availability, :category)
-                  .where('availabilities.start_at >= ?', Time.now)
-                  .order('availabilities.start_at ASC').references(:availabilities).limit(10)
+                   .where('availabilities.start_at >= ?', Time.now)
+                   .order('availabilities.start_at ASC').references(:availabilities).limit(10)
     @fab_name = Setting.find_by(name: 'fablab_name').value
   end
 end

app/controllers/sessions_controller.rb

@@ -6,7 +6,7 @@ class SessionsController < Devise::SessionsController
   def new
     active_provider = AuthProvider.active
     if active_provider.providable_type != DatabaseProvider.name
-      redirect_to "/users/auth/#{active_provider.strategy_name}"
+      redirect_post "/users/auth/#{active_provider.strategy_name}", params: { authenticity_token: form_authenticity_token }
     else
       super
     end

app/controllers/users/omniauth_callbacks_controller.rb

@@ -17,7 +17,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
         # unique random string, because:
         # - if it is the same user, his email will be filled from the SSO when he merge his accounts
         # - if it is not the same user, this will prevent the raise of PG::UniqueViolation
-        if active_provider.sso_fields.include?('user.email') and email_exists?(@user.email)
+        if active_provider.sso_fields.include?('user.email') && email_exists?(@user.email)
           old_mail = @user.email
           @user.email = "<#{old_mail}>#{Devise.friendly_token}-duplicate"
           flash[:alert] = t('omniauth.email_already_linked_to_another_account_please_input_your_authentication_code', OLD_MAIL: old_mail)

app/mailers/notifications_mailer.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
+# Handle most of the emails sent by the platform. Triggered by notifications
 class NotificationsMailer < NotifyWith::NotificationsMailer
-  default :from => ENV['DEFAULT_MAIL_FROM']
+  default from: ENV['DEFAULT_MAIL_FROM']
   layout 'notifications_mailer'
 
   helper :application
@@ -9,15 +12,15 @@ class NotificationsMailer < NotifyWith::NotificationsMailer
     @recipient = notification.receiver
     @attached_object = notification.attached_object
 
-    if !respond_to?(notification.notification_type)
-      class_eval %Q{
+    unless respond_to?(notification.notification_type)
+      class_eval %{
         def #{notification.notification_type}
           mail to: @recipient.email,
                subject: t('notifications_mailer.#{notification.notification_type}.subject'),
                template_name: '#{notification.notification_type}',
                content_type: 'text/html'
         end
-      }
+      }, __FILE__, __LINE__ - 7
     end
 
     send(notification.notification_type)
@@ -29,11 +32,15 @@ class NotificationsMailer < NotifyWith::NotificationsMailer
 
   def notify_user_when_invoice_ready
     attachments[@attached_object.filename] = File.read(@attached_object.file)
-    mail(to: @recipient.email, subject: t('notifications_mailer.notify_member_invoice_ready.subject'), template_name: 'notify_member_invoice_ready')
+    mail(to: @recipient.email,
+         subject: t('notifications_mailer.notify_member_invoice_ready.subject'),
+         template_name: 'notify_member_invoice_ready')
   end
 
   def notify_user_when_avoir_ready
     attachments[@attached_object.filename] = File.read(@attached_object.file)
-    mail(to: @recipient.email, subject: t('notifications_mailer.notify_member_avoir_ready.subject'), template_name: 'notify_member_avoir_ready')
+    mail(to: @recipient.email,
+         subject: t('notifications_mailer.notify_member_avoir_ready.subject'),
+         template_name: 'notify_member_avoir_ready')
   end
 end

app/mailers/users_mailer.rb

@@ -1,3 +1,6 @@
+# frozen_string_literal: true
+
+# Handle emails related to users accounts, at Devise level
 class UsersMailer < BaseMailer
   def notify_user_account_created(user, generated_password)
     @user = user

app/views/api/auth_providers/active.json.jbuilder

@@ -4,9 +4,7 @@ json.link_to_sso_profile @provider.link_to_sso_profile
 if @provider.providable_type == DatabaseProvider.name
   json.link_to_sso_connect '/#'
 else
-  json.link_to_sso_connect "/users/auth/#{@provider.strategy_name}"
+  json.link_to_sso_connect '/sso-redirect'
 end
 
-if @provider.providable_type == OAuth2Provider.name
-  json.domain @provider.providable.domain
-end
+json.domain @provider.providable.domain if @provider.providable_type == OAuth2Provider.name

app/views/application/sso_redirect.html.erb

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="<%= I18n.locale %>">
+<head>
+  <meta charset="utf-8">
+  <meta name="robots" content="noindex, follow">
+  <title>Redirect to SSO</title>
+</head>
+<body>
+  <% param = @authorization_token ? "?auth_token=#{@authorization_token}" : '' %>
+  <% url_path = File.join(root_url, "users/auth/#{@active_provider.strategy_name}#{param}") %>
+  <form id="redirect-form" action="<%=url_path%>" method="post" target="_self">
+    <%= hidden_field_tag :authenticity_token, @authentication_token %>
+    <noscript>
+      <input type="submit" value="⇒ Click here to continue"/>
+    </noscript>
+  </form>
+  <script type="text/javascript">
+    document.forms['redirect-form'].submit();
+  </script>
+</body>
+

app/views/notifications_mailer/notify_user_auth_migration.html.erb

@@ -15,12 +15,7 @@
 <% active_provider = AuthProvider.active %>
 <%= render 'notifications_mailer/shared/hello', recipient: @recipient %>
 <%
-  url_path = "/users/auth/#{active_provider.strategy_name}"
-  if url_path[0] == '/' and root_url[-1] == '/'
-    url_path = root_url + url_path[1..-1]
-  else
-    url_path = root_url + url_path
-  end
+  url_path = File.join(root_url, 'sso-redirect')
 %>
 
 <p><%= t(".body.the_platform") %> <%= Setting.find_by(name: 'fablab_name').value %> <%= t(".body.is_changing_its_auth_system_and_will_now_use") %> <%= active_provider.name %> <%= t(".body.instead_of") %> <%= AuthProvider.find_by(status: 'previous').name %>.</p>

app/views/users_mailer/notify_user_account_created.html.erb

@@ -36,10 +36,12 @@
 
 <% else %>
 
+  <% url_path = File.join(root_url, 'sso-redirect') %>
+
   <p>
-    <%= t('.body.thanks_to_') %>
-    <a href="<%= "#{root_url}/users/auth/#{active_provider.strategy_name}?auth_token=#{@user.auth_token}"%>" target="_blank">
-      <%= t('body.logon_or_login', PROVIDER: active_provider.name )%>
+    <%= t('.body.to_use_platform') %>
+    <a href="<%= "#{url_path}?auth_token=#{@user.auth_token}"%>" target="_blank">
+      <%= t('.body.logon_or_login', PROVIDER: active_provider.name )%>
     </a>
   </p>
 

config/application.yml.default

@@ -1,16 +1,21 @@
 # Add application configuration variables here, as shown below.
 
+# Databases
 POSTGRES_HOST: localhost
 POSTGRES_PASSWORD:
 REDIS_HOST: localhost
 ELASTICSEARCH_HOST: localhost
 
+# Stripe
 SECRET_KEY_BASE: 83daf5e7b80d990f037407bab78dff9904aaf3c195a50f84fa8695a22287e707dfbd9524b403b1dcf116ae1d8c06844c3d7ed942564e5b46be6ae3ead93a9d30
 STRIPE_API_KEY:
 STRIPE_PUBLISHABLE_KEY:
 STRIPE_CURRENCY: 'eur'
 
+# Invoices
 INVOICE_PREFIX: Demo-FabLab-facture
+
+# FabLab optional modules
 FABLAB_WITHOUT_PLANS: 'false'
 FABLAB_WITHOUT_SPACES: 'true'
 FABLAB_WITHOUT_ONLINE_PAYMENT: 'false'
@@ -18,9 +23,11 @@ FABLAB_WITHOUT_INVOICES: 'false'
 
 DEFAULT_MAIL_FROM: Fab Manager Demo <noreply@fab-manager.com>
 
-# For prod & staging env only
-DEFAULT_HOST: fab-manager.com
-DEFAULT_PROTOCOL: https
+# Configure carefully!
+DEFAULT_HOST: 'localhost:5000'
+DEFAULT_PROTOCOL: http
+
+# Email config
 DELIVERY_METHOD: smtp
 SMTP_ADDRESS:
 SMTP_PORT: '587'
@@ -29,21 +36,28 @@ SMTP_PASSWORD:
 SMTP_AUTHENTICATION: 'plain'
 SMTP_ENABLE_STARTTLS_AUTO: 'true'
 SMTP_OPENSSL_VERIFY_MODE: ''
+
+# Google analytics
 GA_ID: ''
+
+# Google recaptcha
 RECAPTCHA_SITE_KEY: ''
 RECAPTCHA_SECRET_KEY: ''
-##
 
+# Projects comments
 DISQUS_SHORTNAME:
 
+# Twitter sharing & last tweet on home page
 TWITTER_NAME: 'FablabGrenoble'
 TWITTER_CONSUMER_KEY: ''
 TWITTER_CONSUMER_SECRET: ''
 TWITTER_ACCESS_TOKEN: ''
 TWITTER_ACCESS_TOKEN_SECRET: ''
 
+# Facebook sharing
 FACEBOOK_APP_ID: ''
 
+# I18N configuration
 RAILS_LOCALE: 'fr'
 APP_LOCALE: 'fr'
 MOMENT_LOCALE: 'fr'
@@ -60,10 +74,13 @@ D3_DATE_FORMAT: '%d/%m/%y'
 UIB_DATE_FORMAT: 'dd/MM/yyyy'
 EXCEL_DATE_FORMAT: 'dd/mm/yyyy'
 
+# OpenProjects
 OPENLAB_APP_SECRET:
 OPENLAB_APP_ID:
+# do not change this URL
 OPENLAB_BASE_URI: 'https://openprojects.fab-manager.com'
 
+# System settings
 LOG_LEVEL: 'debug'
 DISK_SPACE_MB_ALERT: '100'
 SUPERADMIN_EMAIL: 'admin@sleede.com'

config/environments/development.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
@@ -13,6 +15,11 @@ Rails.application.configure do
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = true
 
+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
@@ -41,9 +48,12 @@ Rails.application.configure do
   # config.action_view.raise_on_missing_translations = true
 
   config.action_mailer.delivery_method = :smtp
-  config.action_mailer.smtp_settings = { :address => '127.0.0.1', :port => 1025 }
+  config.action_mailer.smtp_settings = { address: '127.0.0.1', port: 1025 }
   config.action_mailer.raise_delivery_errors = false
-  config.action_mailer.default_url_options = { :host => 'localhost:5000' }
+  config.action_mailer.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
 
   config.log_level = Rails.application.secrets.log_level || :debug
 end

config/environments/production.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
@@ -14,6 +16,11 @@ Rails.application.configure do
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
   # Enable Rack::Cache to put a simple HTTP cache in front of your application
   # Add `rack-cache` to your Gemfile before enabling this.
   # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
@@ -81,19 +88,22 @@ Rails.application.configure do
 
   # config.serve_static_assets = true
 
-  config.action_mailer.default_url_options = { :host => Rails.application.secrets.default_host, :protocol => Rails.application.secrets.default_protocol }
+  config.action_mailer.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
   # config.action_mailer.perform_deliveries = true
   # config.action_mailer.raise_delivery_errors = false
   # config.action_mailer.default :charset => "utf-8"
 
   config.action_mailer.smtp_settings = {
-    :address   => Rails.application.secrets.smtp_address,
-    :port      => Rails.application.secrets.smtp_port,
-    :user_name => Rails.application.secrets.smtp_user_name,
-    :password  => Rails.application.secrets.smtp_password,
-    :authentication       => Rails.application.secrets.smtp_authentication,
-    :enable_starttls_auto => Rails.application.secrets.smtp_enable_starttls_auto,
-    :openssl_verify_mode  => Rails.application.secrets.smtp_openssl_verify_mode,
+    address: Rails.application.secrets.smtp_address,
+    port: Rails.application.secrets.smtp_port,
+    user_name: Rails.application.secrets.smtp_user_name,
+    password: Rails.application.secrets.smtp_password,
+    authentication: Rails.application.secrets.smtp_authentication,
+    enable_starttls_auto: Rails.application.secrets.smtp_enable_starttls_auto,
+    openssl_verify_mode: Rails.application.secrets.smtp_openssl_verify_mode,
   }
 
   # use :smtp for switch prod

config/environments/staging.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
@@ -14,6 +16,11 @@ Rails.application.configure do
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
   # Enable Rack::Cache to put a simple HTTP cache in front of your application
   # Add `rack-cache` to your Gemfile before enabling this.
   # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
@@ -83,20 +90,23 @@ Rails.application.configure do
 
   # config.serve_static_assets = true
 
-  config.action_mailer.default_url_options = { :host => Rails.application.secrets.default_host, :protocol => Rails.application.secrets.default_protocol }
+  config.action_mailer.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
   # config.action_mailer.perform_deliveries = true
   # config.action_mailer.raise_delivery_errors = false
   # config.action_mailer.default :charset => "utf-8"
 
   config.action_mailer.smtp_settings = {
-    :address   => Rails.application.secrets.smtp_address,
-    :port      => Rails.application.secrets.smtp_port,
-    :user_name => Rails.application.secrets.smtp_user_name,
-    :password  => Rails.application.secrets.smtp_password,
-    :authentication       => Rails.application.secrets.smtp_authentication,
-    :enable_starttls_auto => Rails.application.secrets.smtp_enable_starttls_auto,
-    :openssl_verify_mode  => Rails.application.secrets.smtp_openssl_verify_mode,
-    }
+    address: Rails.application.secrets.smtp_address,
+    port: Rails.application.secrets.smtp_port,
+    user_name: Rails.application.secrets.smtp_user_name,
+    password: Rails.application.secrets.smtp_password,
+    authentication: Rails.application.secrets.smtp_authentication,
+    enable_starttls_auto: Rails.application.secrets.smtp_enable_starttls_auto,
+    openssl_verify_mode: Rails.application.secrets.smtp_openssl_verify_mode,
+  }
 
   # use :smtp for switch prod
   config.action_mailer.delivery_method = Rails.application.secrets.delivery_method.to_sym

config/environments/test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
@@ -13,13 +15,18 @@ Rails.application.configure do
   config.eager_load = false
 
   # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_files  = true
+  config.serve_static_files = true
   config.static_cache_control = 'public, max-age=3600'
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
 
+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
   # Raise exceptions instead of rendering exception templates.
   config.action_dispatch.show_exceptions = false
 

config/initializers/devise.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
@@ -43,12 +45,12 @@ Devise.setup do |config|
   # Configure which authentication keys should be case-insensitive.
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :email ]
+  config.case_insensitive_keys = [:email]
 
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]
 
   # Tell if authentication through request.params is enabled. True by default.
   # It can be set to an array that will enable params authentication only for the

config/locales/mails.en.yml

@@ -17,8 +17,8 @@ en:
         password: "Password:"
         temporary_password: "This is a temporary password, you can modify it in your «My account» screen."
         keep_advantages: "With this account, you keep all the advantages linked to your Fab Lab user profile (trainings, subscriptions plans)."
-        thanks_to_: "To use the website, please"
-        logon_or_login: "create a new account or log in by clicking here"
+        to_use_platform: "To use the website, please"
+        logon_or_login: "create a new account or log in by clicking here."
         token_if_link_problem: "If you experience issues with the link, you can enter the following code at your first connection attempt:"
 
   notifications_mailer:

config/locales/mails.es.yml

@@ -17,8 +17,8 @@ es:
         password: "Contraseña:"
         temporary_password: "Esta es una contraseña temporal, puede modificarla en la pantalla <<Mi cuenta>>."
         keep_advantages: "Con esta cuenta, guarda todas las ventajas relacionadas con su perfil de usuario de Fab Lab (cursos, planes de suscripción)."
-        thanks_to_: "Para usar el sitio web, por favor"
-        logon_or_login: "crea una nueva cuenta o inicia sesión haciendo clic aquí"
+        to_use_platform: "Para usar el sitio web, por favor"
+        logon_or_login: "crea una nueva cuenta o inicia sesión haciendo clic aquí."
         token_if_link_problem: "Si experimenta problemas con el enlace, puede introducir el siguiente código en el primer intento de conexión:"
 
   notifications_mailer:

config/locales/mails.fr.yml

@@ -17,8 +17,8 @@ fr:
         password: "Mot de passe :"
         temporary_password: "Ce mot de passe est temporaire, vous pourrez le modifier en accédant à l’espace « Mon compte »."
         keep_advantages: "Avec ce compte, vous conservez bien entendu tous les avantages liés à votre profil utilisateur Fab Lab (abonnement, formations)."
-        thanks_to_: "Pour pouvoir utiliser la plateforme, merci de vous"
-        logon_or_login: "créer un compte sur %{PROVIDER} ou utiliser un compte pré-existant en cliquant ici"
+        to_use_platform: "Pour pouvoir utiliser la plateforme, merci de vous"
+        logon_or_login: "créer un compte sur %{PROVIDER} ou utiliser un compte pré-existant en cliquant ici."
         token_if_link_problem: "En cas de problème avec le lien, vous pourrez saisir manuellement le code suivant lors de votre première connexion :"
 
   notifications_mailer:

config/locales/mails.pt.yml

@@ -17,8 +17,8 @@ pt:
         password: "Senha:"
         temporary_password: "Essa é uma senha temporária, você pode modificar isso na página «Minha conta»."
         keep_advantages: "Com esta conta, você mantém todas as vantagens associadas ao seu perfil de usuário Fab Lab (treinamentos, planos de assinaturas)."
-        thanks_to_: "Para usar o site, por favor"
-        logon_or_login: "Criar uma nova conta ou fazer login clicando aqui"
+        to_use_platform: "Para usar o site, por favor"
+        logon_or_login: "criar uma nova conta ou fazer login clicando aqui."
         token_if_link_problem: "Se você tiver problemas com o link, você poderá inserir o código a seguir na primeira tentativa de conexão:"
 
   notifications_mailer:

config/routes.rb

@@ -15,6 +15,7 @@ Rails.application.routes.draw do
       registrations: 'registrations', sessions: 'sessions', confirmations: 'confirmations', passwords: 'passwords',
       omniauth_callbacks: 'users/omniauth_callbacks'
     }
+    get '/sso-redirect', to: 'application#sso_redirect', as: :sso_redirect
   end
 
 

lib/omni_auth/strategies/sso_oauth2_provider.rb

@@ -24,6 +24,10 @@ module OmniAuth::Strategies
            authorize_url: active_provider.providable.authorization_endpoint,
            token_url: active_provider.providable.token_endpoint
 
+    def callback_url
+      url = Rails.application.config.action_controller.default_url_options
+      "#{url[:protocol]}://#{url[:host]}#{script_name}#{callback_path}"
+    end
 
     uid { parsed_info['user.uid'.to_sym] }
 

test/mailers/previews/notifications_mailer_preview.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class NotificationsMailerPreview < ActionMailer::Preview
+  def notify_user_auth_migration
+    notif = Notification.where(notification_type_id: NotificationType.find_by_name('notify_user_auth_migration')).first
+    NotificationsMailer.send_mail_by(notif)
+  end
+end

test/mailers/previews/users_mailer_preview.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class UsersMailerPreview < ActionMailer::Preview
+  def notify_user_account_created
+    UsersMailer.notify_user_account_created(User.first, 'test')
+  end
+end