removing omniauth CSRF validation, not neccessary since we validate using JWT

Author: davezuckerman

Gemfile

@@ -14,7 +14,6 @@ gem 'jwt', '~> 2.4'
 gem 'mutex_m'
 gem 'omniauth', '~> 2.1'
 gem 'omniauth-cas', '~> 3.0'
-gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'pg', '~> 1.4'
 gem 'pg_search', '~> 2.3'
 gem 'puma', '~> 7.2'

Gemfile.lock

@@ -72,7 +72,7 @@ GEM
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.9)
+    addressable (2.9.0)
       public_suffix (>= 2.0.2, < 8.0)
     amazing_print (1.8.1)
     ast (2.4.3)
@@ -97,19 +97,19 @@ GEM
       berkeley_library-logging (~> 0.3)
       rest-client (~> 2.1)
       typesafe_enum (~> 0.3)
-    bigdecimal (4.1.0)
-    brakeman (7.1.0)
+    bigdecimal (4.1.2)
+    brakeman (8.0.4)
       racc
     builder (3.3.0)
-    bundle-audit (0.1.0)
+    bundle-audit (0.2.0)
       bundler-audit
     bundler-audit (0.9.3)
       bundler (>= 1.2.0)
       thor (~> 1.0)
     colorize (1.1.0)
     concurrent-ruby (1.3.6)
     connection_pool (3.0.2)
-    crack (1.0.0)
+    crack (1.0.1)
       bigdecimal
       rexml
     crass (1.0.6)
@@ -122,37 +122,34 @@ GEM
     docile (1.4.1)
     domain_name (0.6.20240107)
     drb (2.2.3)
-    erb (6.0.2)
+    erb (6.0.4)
     erubi (1.13.1)
-    factory_bot (6.5.5)
+    factory_bot (6.6.0)
       activesupport (>= 6.1.0)
-    factory_bot_rails (6.5.0)
+    factory_bot_rails (6.5.1)
       factory_bot (~> 6.5)
       railties (>= 6.1.0)
-    ffi (1.17.2)
-    ffi (1.17.2-aarch64-linux-gnu)
-    ffi (1.17.2-arm64-darwin)
-    ffi (1.17.2-x86_64-linux-gnu)
+    ffi (1.17.4-aarch64-linux-gnu)
     globalid (1.3.0)
       activesupport (>= 6.1)
     hashdiff (1.0.1)
     hashie (5.1.0)
       logger
     http-accept (1.7.0)
-    http-cookie (1.1.0)
+    http-cookie (1.1.6)
       domain_name (~> 0.5)
     i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     image_processing (1.14.0)
       mini_magick (>= 4.9.5, < 6)
       ruby-vips (>= 2.0.17, < 3)
     io-console (0.8.2)
-    irb (1.17.0)
+    irb (1.18.0)
       pp (>= 0.6.0)
       prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.19.2)
+    json (2.19.5)
     jsonapi-serializer (2.2.0)
       activesupport (>= 4.2)
     jsonapi.rb (2.1.1)
@@ -177,23 +174,22 @@ GEM
       net-imap
       net-pop
       net-smtp
-    marc (1.3.0)
+    marc (1.4.0)
       nokogiri (~> 1.0)
       rexml
     marcel (1.1.0)
     mime-types (3.7.0)
       logger
       mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2026.0317)
+    mime-types-data (3.2026.0414)
     mini_magick (5.3.1)
       logger
     mini_mime (1.1.5)
-    mini_portile2 (2.8.9)
-    minitest (6.0.2)
+    minitest (6.0.6)
       drb (~> 2.0)
       prism (~> 1.5)
     mutex_m (0.3.0)
-    net-imap (0.6.3)
+    net-imap (0.6.4)
       date
       net-protocol
     net-pop (0.1.2)
@@ -204,16 +200,9 @@ GEM
       net-protocol
     netrc (0.11.0)
     nio4r (2.7.5)
-    nokogiri (1.19.2)
-      mini_portile2 (~> 2.8.2)
+    nokogiri (1.19.3-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.19.2-aarch64-linux-gnu)
-      racc (~> 1.4)
-    nokogiri (1.19.2-arm64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.19.2-x86_64-linux-gnu)
-      racc (~> 1.4)
-    oj (3.16.16)
+    oj (3.17.0)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
     omniauth (2.1.4)
@@ -225,21 +214,15 @@ GEM
       addressable (~> 2.8)
       nokogiri (~> 1.12)
       omniauth (~> 2.1)
-    omniauth-rails_csrf_protection (1.0.2)
-      actionpack (>= 4.2)
-      omniauth (~> 2.0)
     ostruct (0.6.3)
     ougai (2.0.0)
       oj (~> 3.10)
-    parallel (1.27.0)
-    parser (3.3.10.2)
+    parallel (2.1.0)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
     parslet (2.0.0)
-    pg (1.6.1)
-    pg (1.6.1-aarch64-linux)
-    pg (1.6.1-arm64-darwin)
-    pg (1.6.1-x86_64-linux)
+    pg (1.6.3-aarch64-linux)
     pg_search (2.3.7)
       activerecord (>= 6.1)
       activesupport (>= 6.1)
@@ -256,14 +239,15 @@ GEM
     puma-plugin-delayed_stop (0.1.2)
       puma (>= 5.0, < 8)
     racc (1.8.1)
-    rack (3.2.5)
-    rack-cors (2.0.2)
-      rack (>= 2.0.0)
+    rack (3.2.6)
+    rack-cors (3.0.0)
+      logger
+      rack (>= 3.0.14)
     rack-protection (4.2.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
-    rack-session (2.1.1)
+    rack-session (2.1.2)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
@@ -305,16 +289,16 @@ GEM
       tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.3.1)
-    ransack (4.4.0)
-      activerecord (>= 7.1)
-      activesupport (>= 7.1)
+    rake (13.4.2)
+    ransack (4.4.1)
+      activerecord (>= 7.2)
+      activesupport (>= 7.2)
       i18n
     rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort
-    regexp_parser (2.11.3)
+    regexp_parser (2.12.0)
     reline (0.6.3)
       io-console (~> 0.5)
     request_store (1.7.0)
@@ -325,7 +309,7 @@ GEM
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
     rexml (3.4.4)
-    rspec (3.13.1)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
@@ -348,11 +332,11 @@ GEM
     rspec-support (3.13.7)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.86.0)
+    rubocop (1.86.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
-      parallel (~> 1.10)
+      parallel (>= 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
@@ -362,7 +346,7 @@ GEM
     rubocop-ast (1.49.1)
       parser (>= 3.3.7.2)
       prism (~> 1.7)
-    rubocop-rails (2.34.3)
+    rubocop-rails (2.35.0)
       activesupport (>= 4.2.0)
       lint_roller (~> 1.1)
       rack (>= 1.1)
@@ -380,7 +364,7 @@ GEM
       parslet (~> 2.0)
       typesafe_enum (~> 0.3)
     ruby-progressbar (1.13.0)
-    ruby-vips (2.2.4)
+    ruby-vips (2.3.0)
       ffi (~> 1.12)
       logger
     securerandom (0.4.1)
@@ -404,7 +388,7 @@ GEM
     unicode-emoji (4.2.0)
     uri (1.1.1)
     useragent (0.16.11)
-    webmock (3.25.1)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -417,10 +401,6 @@ GEM
 
 PLATFORMS
   aarch64-linux-gnu
-  arm64-darwin-23
-  ruby
-  x86_64-linux
-  x86_64-unknown
 
 DEPENDENCIES
   berkeley_library-alma (~> 0.1.1)
@@ -440,7 +420,6 @@ DEPENDENCIES
   mutex_m
   omniauth (~> 2.1)
   omniauth-cas (~> 3.0)
-  omniauth-rails_csrf_protection (~> 1.0)
   pg (~> 1.4)
   pg_search (~> 2.3)
   puma (~> 7.2)

app/controllers/preview/application_controller.rb

@@ -1,3 +1,3 @@
 module Preview
-  class ApplicationController < ActionController::Base; end
+  class ApplicationController < ActionController::API; end
 end

config/initializers/omniauth.rb

@@ -18,6 +18,10 @@ def return_url
 # https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
 OmniAuth.config.allowed_request_methods = [:post]
 
+# API-only app: disable OmniAuth request CSRF validator.
+# OmniAuth 2.x calls this object in request_phase; setting nil skips it.
+OmniAuth.config.request_validation_phase = nil
+
 Rails.application.configure do
   cas_opts = {
     name: :calnet,