migrated links to /users/auth from GET to POST

see https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 for more info
2025-01-17 06:52:27 +01:00 · 2019-10-02 14:37:47 +02:00 · 2019-10-02 14:37:47 +02:00 · 927479733b
commit 927479733b
parent 35b069a4db
26 changed files with 153 additions and 70 deletions
--- a/4
+++ b/4
@ -99,8 +99,8 @@ gem 'friendly_id', '~> 5.1.0'
 gem 'aasm'

 # Background job processing
-gem 'sidekiq', '>= 3.4.2'
 gem 'redis-namespace'
+gem 'sidekiq', '>= 3.4.2'
 gem 'sinatra', require: false
 # Recurring jobs for Sidekiq
 gem 'sidekiq-cron'
@ -150,3 +150,5 @@ gem 'rack-protection', '1.5.5'
 gem 'sys-filesystem'

 gem 'sha3'
+
+gem 'repost'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -345,6 +345,7 @@ GEM
    redis-namespace (1.6.0)
      redis (>= 3.0.4)
    ref (2.0.0)
+    repost (0.2.9)
    responders (2.1.0)
      railties (>= 4.2.0, < 5)
    rolify (4.0.0)
@ -531,6 +532,7 @@ DEPENDENCIES
  rb-readline
  recurrence
  redis-namespace
+  repost
  responders (~> 2.0)
  rolify
  rubocop (~> 0.61.1)
--- a/app/assets/javascripts/controllers/application.js.erb
+++ b/app/assets/javascripts/controllers/application.js.erb
@ -82,6 +82,10 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
     */
    $scope.signup = function (e) {
      if (e) { e.preventDefault(); }
+      <% active_provider = AuthProvider.active %>
+      <% if active_provider.providable_type != DatabaseProvider.name %>
+      $window.location.href = '/sso-redirect';
+      <% else %>

      return $uibModal.open({
        templateUrl: '<%= asset_path "shared/signupModal.html" %>',
@ -167,6 +171,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
        // when the account was created successfully, set the session to the newly created account
        $scope.setCurrentUser(user);
      });
+      <% end %>
    };

    /**
@ -351,8 +356,7 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco
    var openLoginModal = function (toState, toParams, callback) {
      <% active_provider = AuthProvider.active %>
      <% if active_provider.providable_type != DatabaseProvider.name %>
-
-      $window.location.href = '<%="/users/auth/#{active_provider.strategy_name}"%>';
+      $window.location.href = '/sso-redirect';
      <% else %>
      return $uibModal.open({
        templateUrl: '<%= asset_path "shared/deviseModal.html" %>',
--- a/app/assets/javascripts/services/auth.js.erb
+++ b/app/assets/javascripts/services/auth.js.erb
@ -1,6 +1,6 @@
 'use strict';

-Application.Services.factory('AuthService', ['Session', function (Session) {
+Application.Services.factory('AuthService', ['Session', 'CSRF', function (Session, CSRF) {
  return {
    isAuthenticated () {
      return (Session.currentUser != null) && (Session.currentUser.id != null);
--- a/app/assets/templates/shared/header.html.erb
+++ b/app/assets/templates/shared/header.html.erb
@ -46,18 +46,8 @@
        <li><a href="#" class="text-black" ng-click="logout($event)"><i class="fa fa-power-off"></i> {{ 'sign_out' | translate }}</a></li>
      </ul>
    </li>
-    <% active_provider = AuthProvider.active %>
-    <% if active_provider.providable_type == DatabaseProvider.name %>
-      <li ng-if="!isAuthenticated()"><a href="#" class="font-sbold label text-md" ng-click="signup($event)"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
-      <li ng-if="!isAuthenticated()">
-          <a href="#" class="font-sbold  label text-md" ng-click="login($event)"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
-      </li>
-    <% else %>
-        <li ng-if="!isAuthenticated()"><a href="<%= "/users/auth/#{active_provider.strategy_name}"%>" class="font-sbold label text-md"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
-        <li ng-if="!isAuthenticated()">
-          <%= link_to(raw("<i class='fa fa-sign-in'></i> {{ 'sign_in' | translate }}"),
-                      "/users/auth/#{active_provider.strategy_name}",
-                      { method: :post, class: 'font-sbold label text-md' }) %>
-        </li>
-    <% end %>
+    <li ng-if="!isAuthenticated()"><a href="#" class="font-sbold label text-md" ng-click="signup($event)"><i class="fa fa-rocket"></i> {{ 'sign_up' | translate }}</a></li>
+    <li ng-if="!isAuthenticated()">
+        <a href="#" class="font-sbold  label text-md" ng-click="login($event)"><i class="fa fa-sign-in"></i> {{ 'sign_in' | translate }}</a>
+    </li>
  </ul>
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -19,6 +19,12 @@ class ApplicationController < ActionController::Base

  def index; end

+  def sso_redirect
+    @authorization_token = request.query_parameters[:auth_token]
+    @authentication_token = form_authenticity_token
+    @active_provider = AuthProvider.active
+  end
+
  protected

  def set_csrf_cookie
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -6,7 +6,7 @@ class SessionsController < Devise::SessionsController
  def new
    active_provider = AuthProvider.active
    if active_provider.providable_type != DatabaseProvider.name
-      redirect_to "/users/auth/#{active_provider.strategy_name}"
+      redirect_post "/users/auth/#{active_provider.strategy_name}", params: { authenticity_token: form_authenticity_token }
    else
      super
    end
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -17,7 +17,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
        # unique random string, because:
        # - if it is the same user, his email will be filled from the SSO when he merge his accounts
        # - if it is not the same user, this will prevent the raise of PG::UniqueViolation
-        if active_provider.sso_fields.include?('user.email') and email_exists?(@user.email)
+        if active_provider.sso_fields.include?('user.email') && email_exists?(@user.email)
          old_mail = @user.email
          @user.email = "<#{old_mail}>#{Devise.friendly_token}-duplicate"
          flash[:alert] = t('omniauth.email_already_linked_to_another_account_please_input_your_authentication_code', OLD_MAIL: old_mail)
--- a/app/mailers/notifications_mailer.rb
+++ b/app/mailers/notifications_mailer.rb
@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
+# Handle most of the emails sent by the platform. Triggered by notifications
 class NotificationsMailer < NotifyWith::NotificationsMailer
-  default :from => ENV['DEFAULT_MAIL_FROM']
+  default from: ENV['DEFAULT_MAIL_FROM']
  layout 'notifications_mailer'

  helper :application
@ -9,15 +12,15 @@ class NotificationsMailer < NotifyWith::NotificationsMailer
    @recipient = notification.receiver
    @attached_object = notification.attached_object

-    if !respond_to?(notification.notification_type)
-      class_eval %Q{
+    unless respond_to?(notification.notification_type)
+      class_eval %{
        def #{notification.notification_type}
          mail to: @recipient.email,
               subject: t('notifications_mailer.#{notification.notification_type}.subject'),
               template_name: '#{notification.notification_type}',
               content_type: 'text/html'
        end
-      }
+      }, __FILE__, __LINE__ - 7
    end

    send(notification.notification_type)
@ -29,11 +32,15 @@ class NotificationsMailer < NotifyWith::NotificationsMailer

  def notify_user_when_invoice_ready
    attachments[@attached_object.filename] = File.read(@attached_object.file)
-    mail(to: @recipient.email, subject: t('notifications_mailer.notify_member_invoice_ready.subject'), template_name: 'notify_member_invoice_ready')
+    mail(to: @recipient.email,
+         subject: t('notifications_mailer.notify_member_invoice_ready.subject'),
+         template_name: 'notify_member_invoice_ready')
  end

  def notify_user_when_avoir_ready
    attachments[@attached_object.filename] = File.read(@attached_object.file)
-    mail(to: @recipient.email, subject: t('notifications_mailer.notify_member_avoir_ready.subject'), template_name: 'notify_member_avoir_ready')
+    mail(to: @recipient.email,
+         subject: t('notifications_mailer.notify_member_avoir_ready.subject'),
+         template_name: 'notify_member_avoir_ready')
  end
 end
--- a/app/mailers/users_mailer.rb
+++ b/app/mailers/users_mailer.rb
@ -1,3 +1,6 @@
+# frozen_string_literal: true
+
+# Handle emails related to users accounts, at Devise level
 class UsersMailer < BaseMailer
  def notify_user_account_created(user, generated_password)
    @user = user
--- a/app/views/api/auth_providers/active.json.jbuilder
+++ b/app/views/api/auth_providers/active.json.jbuilder
@ -4,9 +4,7 @@ json.link_to_sso_profile @provider.link_to_sso_profile
 if @provider.providable_type == DatabaseProvider.name
  json.link_to_sso_connect '/#'
 else
-  json.link_to_sso_connect "/users/auth/#{@provider.strategy_name}"
+  json.link_to_sso_connect '/sso-redirect'
 end

-if @provider.providable_type == OAuth2Provider.name
-  json.domain @provider.providable.domain
-end
+json.domain @provider.providable.domain if @provider.providable_type == OAuth2Provider.name
--- a/app/views/application/sso_redirect.html.erb
+++ b/app/views/application/sso_redirect.html.erb
@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="<%= I18n.locale %>">
+<head>
+  <meta charset="utf-8">
+  <meta name="robots" content="noindex, follow">
+  <title>Redirect to SSO</title>
+</head>
+<body>
+  <% param = @authorization_token ? "?auth_token=#{@authorization_token}" : '' %>
+  <% url_path = File.join(root_url, "users/auth/#{@active_provider.strategy_name}#{param}") %>
+  <form id="redirect-form" action="<%=url_path%>" method="post" target="_self">
+    <%= hidden_field_tag :authenticity_token, @authentication_token %>
+    <noscript>
+      <input type="submit" value="⇒ Click here to continue"/>
+    </noscript>
+  </form>
+  <script type="text/javascript">
+    document.forms['redirect-form'].submit();
+  </script>
+</body>
+
--- a/app/views/notifications_mailer/notify_user_auth_migration.html.erb
+++ b/app/views/notifications_mailer/notify_user_auth_migration.html.erb
@ -15,12 +15,7 @@
 <% active_provider = AuthProvider.active %>
 <%= render 'notifications_mailer/shared/hello', recipient: @recipient %>
 <%
-  url_path = "/users/auth/#{active_provider.strategy_name}"
-  if url_path[0] == '/' and root_url[-1] == '/'
-    url_path = root_url + url_path[1..-1]
-  else
-    url_path = root_url + url_path
-  end
+  url_path = File.join(root_url, 'sso-redirect')
 %>

 <p><%= t(".body.the_platform") %> <%= Setting.find_by(name: 'fablab_name').value %> <%= t(".body.is_changing_its_auth_system_and_will_now_use") %> <%= active_provider.name %> <%= t(".body.instead_of") %> <%= AuthProvider.find_by(status: 'previous').name %>.</p>
--- a/app/views/users_mailer/notify_user_account_created.html.erb
+++ b/app/views/users_mailer/notify_user_account_created.html.erb
@ -36,11 +36,13 @@

 <% else %>

+  <% url_path = File.join(root_url, 'sso-redirect') %>
+
  <p>
-    <%= t('.body.thanks_to_') %>
-    <%= link_to(t('.body.logon_or_login', PROVIDER: active_provider.name ),
-                "#{root_url}/users/auth/#{active_provider.strategy_name}?auth_token=#{@user.auth_token}",
-                { method: :post, target: '_blank' }) %>
+    <%= t('.body.to_use_platform') %>
+    <a href="<%= "#{url_path}?auth_token=#{@user.auth_token}"%>" target="_blank">
+      <%= t('.body.logon_or_login', PROVIDER: active_provider.name )%>
+    </a>
  </p>

  <p><%= t('.body.token_if_link_problem') %></p>
--- a/config/application.yml.default
+++ b/config/application.yml.default
@ -19,8 +19,8 @@ FABLAB_WITHOUT_INVOICES: 'false'
 DEFAULT_MAIL_FROM: Fab Manager Demo <noreply@fab-manager.com>

 # For prod & staging env only
-DEFAULT_HOST: fab-manager.com
-DEFAULT_PROTOCOL: https
+DEFAULT_HOST: 'localhost:5000'
+DEFAULT_PROTOCOL: http
 DELIVERY_METHOD: smtp
 SMTP_ADDRESS:
 SMTP_PORT: '587'
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

@ -13,6 +15,11 @@ Rails.application.configure do
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = true

+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false

@ -41,9 +48,12 @@ Rails.application.configure do
  # config.action_view.raise_on_missing_translations = true

  config.action_mailer.delivery_method = :smtp
-  config.action_mailer.smtp_settings = { :address => '127.0.0.1', :port => 1025 }
+  config.action_mailer.smtp_settings = { address: '127.0.0.1', port: 1025 }
  config.action_mailer.raise_delivery_errors = false
-  config.action_mailer.default_url_options = { :host => 'localhost:5000' }
+  config.action_mailer.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }

  config.log_level = Rails.application.secrets.log_level || :debug
 end
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

@ -14,6 +16,11 @@ Rails.application.configure do
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true

+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
  # Enable Rack::Cache to put a simple HTTP cache in front of your application
  # Add `rack-cache` to your Gemfile before enabling this.
  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
@ -81,19 +88,22 @@ Rails.application.configure do

  # config.serve_static_assets = true

-  config.action_mailer.default_url_options = { :host => Rails.application.secrets.default_host, :protocol => Rails.application.secrets.default_protocol }
+  config.action_mailer.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
  # config.action_mailer.perform_deliveries = true
  # config.action_mailer.raise_delivery_errors = false
  # config.action_mailer.default :charset => "utf-8"

  config.action_mailer.smtp_settings = {
-    :address   => Rails.application.secrets.smtp_address,
-    :port      => Rails.application.secrets.smtp_port,
-    :user_name => Rails.application.secrets.smtp_user_name,
-    :password  => Rails.application.secrets.smtp_password,
-    :authentication       => Rails.application.secrets.smtp_authentication,
-    :enable_starttls_auto => Rails.application.secrets.smtp_enable_starttls_auto,
-    :openssl_verify_mode  => Rails.application.secrets.smtp_openssl_verify_mode,
+    address: Rails.application.secrets.smtp_address,
+    port: Rails.application.secrets.smtp_port,
+    user_name: Rails.application.secrets.smtp_user_name,
+    password: Rails.application.secrets.smtp_password,
+    authentication: Rails.application.secrets.smtp_authentication,
+    enable_starttls_auto: Rails.application.secrets.smtp_enable_starttls_auto,
+    openssl_verify_mode: Rails.application.secrets.smtp_openssl_verify_mode,
  }

  # use :smtp for switch prod
--- a/config/environments/staging.rb
+++ b/config/environments/staging.rb
@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

@ -14,6 +16,11 @@ Rails.application.configure do
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true

+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
  # Enable Rack::Cache to put a simple HTTP cache in front of your application
  # Add `rack-cache` to your Gemfile before enabling this.
  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
@ -83,20 +90,23 @@ Rails.application.configure do

  # config.serve_static_assets = true

-  config.action_mailer.default_url_options = { :host => Rails.application.secrets.default_host, :protocol => Rails.application.secrets.default_protocol }
+  config.action_mailer.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
  # config.action_mailer.perform_deliveries = true
  # config.action_mailer.raise_delivery_errors = false
  # config.action_mailer.default :charset => "utf-8"

  config.action_mailer.smtp_settings = {
-    :address   => Rails.application.secrets.smtp_address,
-    :port      => Rails.application.secrets.smtp_port,
-    :user_name => Rails.application.secrets.smtp_user_name,
-    :password  => Rails.application.secrets.smtp_password,
-    :authentication       => Rails.application.secrets.smtp_authentication,
-    :enable_starttls_auto => Rails.application.secrets.smtp_enable_starttls_auto,
-    :openssl_verify_mode  => Rails.application.secrets.smtp_openssl_verify_mode,
-    }
+    address: Rails.application.secrets.smtp_address,
+    port: Rails.application.secrets.smtp_port,
+    user_name: Rails.application.secrets.smtp_user_name,
+    password: Rails.application.secrets.smtp_password,
+    authentication: Rails.application.secrets.smtp_authentication,
+    enable_starttls_auto: Rails.application.secrets.smtp_enable_starttls_auto,
+    openssl_verify_mode: Rails.application.secrets.smtp_openssl_verify_mode,
+  }

  # use :smtp for switch prod
  config.action_mailer.delivery_method = Rails.application.secrets.delivery_method.to_sym
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

@ -13,13 +15,18 @@ Rails.application.configure do
  config.eager_load = false

  # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_files  = true
+  config.serve_static_files = true
  config.static_cache_control = 'public, max-age=3600'

  # Show full error reports and disable caching.
  config.consider_all_requests_local       = true
  config.action_controller.perform_caching = false

+  config.action_controller.default_url_options = {
+    host: Rails.application.secrets.default_host,
+    protocol: Rails.application.secrets.default_protocol
+  }
+
  # Raise exceptions instead of rendering exception templates.
  config.action_dispatch.show_exceptions = false

--- a/config/locales/mails.en.yml
+++ b/config/locales/mails.en.yml
@ -17,8 +17,8 @@ en:
        password: "Password:"
        temporary_password: "This is a temporary password, you can modify it in your «My account» screen."
        keep_advantages: "With this account, you keep all the advantages linked to your Fab Lab user profile (trainings, subscriptions plans)."
-        thanks_to_: "To use the website, please"
-        logon_or_login: "create a new account or log in by clicking here"
+        to_use_platform: "To use the website, please"
+        logon_or_login: "create a new account or log in by clicking here."
        token_if_link_problem: "If you experience issues with the link, you can enter the following code at your first connection attempt:"

  notifications_mailer:
--- a/config/locales/mails.es.yml
+++ b/config/locales/mails.es.yml
@ -17,8 +17,8 @@ es:
        password: "Contraseña:"
        temporary_password: "Esta es una contraseña temporal, puede modificarla en la pantalla <<Mi cuenta>>."
        keep_advantages: "Con esta cuenta, guarda todas las ventajas relacionadas con su perfil de usuario de Fab Lab (cursos, planes de suscripción)."
-        thanks_to_: "Para usar el sitio web, por favor"
-        logon_or_login: "crea una nueva cuenta o inicia sesión haciendo clic aquí"
+        to_use_platform: "Para usar el sitio web, por favor"
+        logon_or_login: "crea una nueva cuenta o inicia sesión haciendo clic aquí."
        token_if_link_problem: "Si experimenta problemas con el enlace, puede introducir el siguiente código en el primer intento de conexión:"

  notifications_mailer:
--- a/config/locales/mails.fr.yml
+++ b/config/locales/mails.fr.yml
@ -17,8 +17,8 @@ fr:
        password: "Mot de passe :"
        temporary_password: "Ce mot de passe est temporaire, vous pourrez le modifier en accédant à l’espace « Mon compte »."
        keep_advantages: "Avec ce compte, vous conservez bien entendu tous les avantages liés à votre profil utilisateur Fab Lab (abonnement, formations)."
-        thanks_to_: "Pour pouvoir utiliser la plateforme, merci de vous"
-        logon_or_login: "créer un compte sur %{PROVIDER} ou utiliser un compte pré-existant en cliquant ici"
+        to_use_platform: "Pour pouvoir utiliser la plateforme, merci de vous"
+        logon_or_login: "créer un compte sur %{PROVIDER} ou utiliser un compte pré-existant en cliquant ici."
        token_if_link_problem: "En cas de problème avec le lien, vous pourrez saisir manuellement le code suivant lors de votre première connexion :"

  notifications_mailer:
--- a/config/locales/mails.pt.yml
+++ b/config/locales/mails.pt.yml
@ -17,8 +17,8 @@ pt:
        password: "Senha:"
        temporary_password: "Essa é uma senha temporária, você pode modificar isso na página «Minha conta»."
        keep_advantages: "Com esta conta, você mantém todas as vantagens associadas ao seu perfil de usuário Fab Lab (treinamentos, planos de assinaturas)."
-        thanks_to_: "Para usar o site, por favor"
-        logon_or_login: "Criar uma nova conta ou fazer login clicando aqui"
+        to_use_platform: "Para usar o site, por favor"
+        logon_or_login: "criar uma nova conta ou fazer login clicando aqui."
        token_if_link_problem: "Se você tiver problemas com o link, você poderá inserir o código a seguir na primeira tentativa de conexão:"

  notifications_mailer:
--- a/config/routes.rb
+++ b/config/routes.rb
@ -15,6 +15,7 @@ Rails.application.routes.draw do
      registrations: 'registrations', sessions: 'sessions', confirmations: 'confirmations', passwords: 'passwords',
      omniauth_callbacks: 'users/omniauth_callbacks'
    }
+    get '/sso-redirect', to: 'application#sso_redirect', as: :sso_redirect
  end


--- a/test/mailers/previews/notifications_mailer_preview.rb
+++ b/test/mailers/previews/notifications_mailer_preview.rb
@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class NotificationsMailerPreview < ActionMailer::Preview
+  def notify_user_auth_migration
+    notif = Notification.where(notification_type_id: NotificationType.find_by_name('notify_user_auth_migration')).first
+    NotificationsMailer.send_mail_by(notif)
+  end
+end
--- a/test/mailers/previews/users_mailer_preview.rb
+++ b/test/mailers/previews/users_mailer_preview.rb
@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class UsersMailerPreview < ActionMailer::Preview
+  def notify_user_account_created
+    UsersMailer.notify_user_account_created(User.first, 'test')
+  end
+end