Skip to content

Commit ed3ef91

Browse files
davezuckermandavezuckerman
committed
removing omniauth CSRF validation, not neccessary since we validate using JWT
Add x86_64-linux platform to Gemfile.lock updated platforms in Gemfile.lock using ActionController::Base for preview, added spec for preview response
1 parent 77307f6 commit ed3ef91

4 files changed

Lines changed: 81 additions & 55 deletions

File tree

Gemfile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@ gem 'jwt', '~> 2.4'
1414
gem 'mutex_m'
1515
gem 'omniauth', '~> 2.1'
1616
gem 'omniauth-cas', '~> 3.0'
17-
gem 'omniauth-rails_csrf_protection', '~> 1.0'
1817
gem 'pg', '~> 1.4'
1918
gem 'pg_search', '~> 2.3'
2019
gem 'puma', '~> 7.2'

Gemfile.lock

Lines changed: 68 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ GEM
7272
securerandom (>= 0.3)
7373
tzinfo (~> 2.0, >= 2.0.5)
7474
uri (>= 0.13.1)
75-
addressable (2.8.9)
75+
addressable (2.9.0)
7676
public_suffix (>= 2.0.2, < 8.0)
7777
amazing_print (1.8.1)
7878
ast (2.4.3)
@@ -97,19 +97,19 @@ GEM
9797
berkeley_library-logging (~> 0.3)
9898
rest-client (~> 2.1)
9999
typesafe_enum (~> 0.3)
100-
bigdecimal (4.1.0)
101-
brakeman (7.1.0)
100+
bigdecimal (4.1.2)
101+
brakeman (8.0.4)
102102
racc
103103
builder (3.3.0)
104-
bundle-audit (0.1.0)
104+
bundle-audit (0.2.0)
105105
bundler-audit
106106
bundler-audit (0.9.3)
107107
bundler (>= 1.2.0)
108108
thor (~> 1.0)
109109
colorize (1.1.0)
110110
concurrent-ruby (1.3.6)
111111
connection_pool (3.0.2)
112-
crack (1.0.0)
112+
crack (1.0.1)
113113
bigdecimal
114114
rexml
115115
crass (1.0.6)
@@ -122,37 +122,41 @@ GEM
122122
docile (1.4.1)
123123
domain_name (0.6.20240107)
124124
drb (2.2.3)
125-
erb (6.0.2)
125+
erb (6.0.4)
126126
erubi (1.13.1)
127-
factory_bot (6.5.5)
127+
factory_bot (6.6.0)
128128
activesupport (>= 6.1.0)
129-
factory_bot_rails (6.5.0)
129+
factory_bot_rails (6.5.1)
130130
factory_bot (~> 6.5)
131131
railties (>= 6.1.0)
132-
ffi (1.17.2)
133-
ffi (1.17.2-aarch64-linux-gnu)
134-
ffi (1.17.2-arm64-darwin)
135-
ffi (1.17.2-x86_64-linux-gnu)
132+
ffi (1.17.4-aarch64-linux-gnu)
133+
ffi (1.17.4-aarch64-linux-musl)
134+
ffi (1.17.4-arm-linux-gnu)
135+
ffi (1.17.4-arm-linux-musl)
136+
ffi (1.17.4-arm64-darwin)
137+
ffi (1.17.4-x86_64-darwin)
138+
ffi (1.17.4-x86_64-linux-gnu)
139+
ffi (1.17.4-x86_64-linux-musl)
136140
globalid (1.3.0)
137141
activesupport (>= 6.1)
138142
hashdiff (1.0.1)
139143
hashie (5.1.0)
140144
logger
141145
http-accept (1.7.0)
142-
http-cookie (1.1.0)
146+
http-cookie (1.1.6)
143147
domain_name (~> 0.5)
144148
i18n (1.14.8)
145149
concurrent-ruby (~> 1.0)
146150
image_processing (1.14.0)
147151
mini_magick (>= 4.9.5, < 6)
148152
ruby-vips (>= 2.0.17, < 3)
149153
io-console (0.8.2)
150-
irb (1.17.0)
154+
irb (1.18.0)
151155
pp (>= 0.6.0)
152156
prism (>= 1.3.0)
153157
rdoc (>= 4.0.0)
154158
reline (>= 0.4.2)
155-
json (2.19.2)
159+
json (2.19.5)
156160
jsonapi-serializer (2.2.0)
157161
activesupport (>= 4.2)
158162
jsonapi.rb (2.1.1)
@@ -177,23 +181,22 @@ GEM
177181
net-imap
178182
net-pop
179183
net-smtp
180-
marc (1.3.0)
184+
marc (1.4.0)
181185
nokogiri (~> 1.0)
182186
rexml
183187
marcel (1.1.0)
184188
mime-types (3.7.0)
185189
logger
186190
mime-types-data (~> 3.2025, >= 3.2025.0507)
187-
mime-types-data (3.2026.0317)
191+
mime-types-data (3.2026.0414)
188192
mini_magick (5.3.1)
189193
logger
190194
mini_mime (1.1.5)
191-
mini_portile2 (2.8.9)
192-
minitest (6.0.2)
195+
minitest (6.0.6)
193196
drb (~> 2.0)
194197
prism (~> 1.5)
195198
mutex_m (0.3.0)
196-
net-imap (0.6.3)
199+
net-imap (0.6.4)
197200
date
198201
net-protocol
199202
net-pop (0.1.2)
@@ -204,16 +207,23 @@ GEM
204207
net-protocol
205208
netrc (0.11.0)
206209
nio4r (2.7.5)
207-
nokogiri (1.19.2)
208-
mini_portile2 (~> 2.8.2)
210+
nokogiri (1.19.3-aarch64-linux-gnu)
209211
racc (~> 1.4)
210-
nokogiri (1.19.2-aarch64-linux-gnu)
212+
nokogiri (1.19.3-aarch64-linux-musl)
211213
racc (~> 1.4)
212-
nokogiri (1.19.2-arm64-darwin)
214+
nokogiri (1.19.3-arm-linux-gnu)
213215
racc (~> 1.4)
214-
nokogiri (1.19.2-x86_64-linux-gnu)
216+
nokogiri (1.19.3-arm-linux-musl)
215217
racc (~> 1.4)
216-
oj (3.16.16)
218+
nokogiri (1.19.3-arm64-darwin)
219+
racc (~> 1.4)
220+
nokogiri (1.19.3-x86_64-darwin)
221+
racc (~> 1.4)
222+
nokogiri (1.19.3-x86_64-linux-gnu)
223+
racc (~> 1.4)
224+
nokogiri (1.19.3-x86_64-linux-musl)
225+
racc (~> 1.4)
226+
oj (3.17.0)
217227
bigdecimal (>= 3.0)
218228
ostruct (>= 0.2)
219229
omniauth (2.1.4)
@@ -225,21 +235,21 @@ GEM
225235
addressable (~> 2.8)
226236
nokogiri (~> 1.12)
227237
omniauth (~> 2.1)
228-
omniauth-rails_csrf_protection (1.0.2)
229-
actionpack (>= 4.2)
230-
omniauth (~> 2.0)
231238
ostruct (0.6.3)
232239
ougai (2.0.0)
233240
oj (~> 3.10)
234-
parallel (1.27.0)
235-
parser (3.3.10.2)
241+
parallel (2.1.0)
242+
parser (3.3.11.1)
236243
ast (~> 2.4.1)
237244
racc
238245
parslet (2.0.0)
239-
pg (1.6.1)
240-
pg (1.6.1-aarch64-linux)
241-
pg (1.6.1-arm64-darwin)
242-
pg (1.6.1-x86_64-linux)
246+
pg (1.6.3)
247+
pg (1.6.3-aarch64-linux)
248+
pg (1.6.3-aarch64-linux-musl)
249+
pg (1.6.3-arm64-darwin)
250+
pg (1.6.3-x86_64-darwin)
251+
pg (1.6.3-x86_64-linux)
252+
pg (1.6.3-x86_64-linux-musl)
243253
pg_search (2.3.7)
244254
activerecord (>= 6.1)
245255
activesupport (>= 6.1)
@@ -256,14 +266,15 @@ GEM
256266
puma-plugin-delayed_stop (0.1.2)
257267
puma (>= 5.0, < 8)
258268
racc (1.8.1)
259-
rack (3.2.5)
260-
rack-cors (2.0.2)
261-
rack (>= 2.0.0)
269+
rack (3.2.6)
270+
rack-cors (3.0.0)
271+
logger
272+
rack (>= 3.0.14)
262273
rack-protection (4.2.1)
263274
base64 (>= 0.1.0)
264275
logger (>= 1.6.0)
265276
rack (>= 3.0.0, < 4)
266-
rack-session (2.1.1)
277+
rack-session (2.1.2)
267278
base64 (>= 0.1.0)
268279
rack (>= 3.0.0)
269280
rack-test (2.2.0)
@@ -305,16 +316,16 @@ GEM
305316
tsort (>= 0.2)
306317
zeitwerk (~> 2.6)
307318
rainbow (3.1.1)
308-
rake (13.3.1)
309-
ransack (4.4.0)
310-
activerecord (>= 7.1)
311-
activesupport (>= 7.1)
319+
rake (13.4.2)
320+
ransack (4.4.1)
321+
activerecord (>= 7.2)
322+
activesupport (>= 7.2)
312323
i18n
313324
rdoc (7.2.0)
314325
erb
315326
psych (>= 4.0.0)
316327
tsort
317-
regexp_parser (2.11.3)
328+
regexp_parser (2.12.0)
318329
reline (0.6.3)
319330
io-console (~> 0.5)
320331
request_store (1.7.0)
@@ -325,7 +336,7 @@ GEM
325336
mime-types (>= 1.16, < 4.0)
326337
netrc (~> 0.8)
327338
rexml (3.4.4)
328-
rspec (3.13.1)
339+
rspec (3.13.2)
329340
rspec-core (~> 3.13.0)
330341
rspec-expectations (~> 3.13.0)
331342
rspec-mocks (~> 3.13.0)
@@ -348,11 +359,11 @@ GEM
348359
rspec-support (3.13.7)
349360
rspec_junit_formatter (0.6.0)
350361
rspec-core (>= 2, < 4, != 2.12.0)
351-
rubocop (1.86.0)
362+
rubocop (1.86.2)
352363
json (~> 2.3)
353364
language_server-protocol (~> 3.17.0.2)
354365
lint_roller (~> 1.1.0)
355-
parallel (~> 1.10)
366+
parallel (>= 1.10)
356367
parser (>= 3.3.0.2)
357368
rainbow (>= 2.2.2, < 4.0)
358369
regexp_parser (>= 2.9.3, < 3.0)
@@ -362,7 +373,7 @@ GEM
362373
rubocop-ast (1.49.1)
363374
parser (>= 3.3.7.2)
364375
prism (~> 1.7)
365-
rubocop-rails (2.34.3)
376+
rubocop-rails (2.35.0)
366377
activesupport (>= 4.2.0)
367378
lint_roller (~> 1.1)
368379
rack (>= 1.1)
@@ -380,7 +391,7 @@ GEM
380391
parslet (~> 2.0)
381392
typesafe_enum (~> 0.3)
382393
ruby-progressbar (1.13.0)
383-
ruby-vips (2.2.4)
394+
ruby-vips (2.3.0)
384395
ffi (~> 1.12)
385396
logger
386397
securerandom (0.4.1)
@@ -404,7 +415,7 @@ GEM
404415
unicode-emoji (4.2.0)
405416
uri (1.1.1)
406417
useragent (0.16.11)
407-
webmock (3.25.1)
418+
webmock (3.26.2)
408419
addressable (>= 2.8.0)
409420
crack (>= 0.3.2)
410421
hashdiff (>= 0.4.0, < 2.0.0)
@@ -417,10 +428,14 @@ GEM
417428

418429
PLATFORMS
419430
aarch64-linux-gnu
420-
arm64-darwin-23
421-
ruby
431+
aarch64-linux-musl
432+
arm-linux-gnu
433+
arm-linux-musl
434+
arm64-darwin
435+
x86_64-darwin
422436
x86_64-linux
423-
x86_64-unknown
437+
x86_64-linux-gnu
438+
x86_64-linux-musl
424439

425440
DEPENDENCIES
426441
berkeley_library-alma (~> 0.1.1)
@@ -440,7 +455,6 @@ DEPENDENCIES
440455
mutex_m
441456
omniauth (~> 2.1)
442457
omniauth-cas (~> 3.0)
443-
omniauth-rails_csrf_protection (~> 1.0)
444458
pg (~> 1.4)
445459
pg_search (~> 2.3)
446460
puma (~> 7.2)

config/initializers/omniauth.rb

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,10 @@ def return_url
1818
# https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
1919
OmniAuth.config.allowed_request_methods = [:post]
2020

21+
# API-only app: disable OmniAuth request CSRF validator.
22+
# OmniAuth 2.x calls this object in request_phase; setting nil skips it.
23+
OmniAuth.config.request_validation_phase = nil
24+
2125
Rails.application.configure do
2226
cas_opts = {
2327
name: :calnet,

spec/requests/preview/preview_spec.rb

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,15 @@
1414
expect(response.content_type).to start_with('text/html')
1515
end
1616

17+
it 'renders a non-empty HTML response body' do
18+
allow(ENV).to receive(:[]).with('GALC_API_URL').and_return('https://galc.biz')
19+
get preview_path
20+
21+
expect(response).to have_http_status(:ok)
22+
expect(response.body).not_to be_empty
23+
expect(response.body).to include('<html')
24+
end
25+
1726
context 'sets the API URL correctly' do
1827
it 'sets the url when GALC_API_URL is present' do
1928
allow(ENV).to receive(:[]).with('GALC_API_URL').and_return('https://galc.biz')

0 commit comments

Comments
 (0)