Fix omniauth (SAML/CAS) sign-in routes not having CSRF protection (#15228)

13b07b88 · Eugen Rochko · GitHub · 13206fcf · 13b07b88 · 13b07b88
Unverified Commit 13b07b88 authored 4 years ago by Eugen Rochko Committed by GitHub 4 years ago
--- a/Gemfile
+++ b/Gemfile
@@ -44,6 +44,7 @@ gem 'net-ldap', '~> 0.16'
 gem 'omniauth-cas', '~> 2.0'
 gem 'omniauth-saml', '~> 1.10'
 gem 'omniauth', '~> 1.9'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'

 gem 'color_diff', '~> 0.1'
 gem 'discard', '~> 1.2'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -375,6 +375,9 @@ GEM
      addressable (~> 2.3)
      nokogiri (~> 1.5)
      omniauth (~> 1.2)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
    omniauth-saml (1.10.3)
      omniauth (~> 1.3, >= 1.3.2)
      ruby-saml (~> 1.9)
@@ -741,6 +744,7 @@ DEPENDENCIES
  oj (~> 3.10)
  omniauth (~> 1.9)
  omniauth-cas (~> 2.0)
+  omniauth-rails_csrf_protection (~> 0.1)
  omniauth-saml (~> 1.10)
  ox (~> 2.13)
  paperclip (~> 6.0)

--- a/app/views/auth/sessions/new.html.haml
+++ b/app/views/auth/sessions/new.html.haml
@@ -22,7 +22,6 @@

    .actions
      - resource_class.omniauth_providers.each do |provider|
-        = link_to omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}" do
-          = t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize)
+        = link_to t("auth.providers.#{provider}", default: provider.to_s.chomp("_oauth2").capitalize), omniauth_authorize_path(resource_name, provider), class: "button button-#{provider}", method: :post

 .form-footer= render 'auth/shared/links'