Upgrading devise to releases 4.9 and omniauth releases 2.1 (#1839)

Co-authored-by: Bess Sadler <[email protected]>
pulibrary · Jun 17, 2024 · 67d666a · 67d666a
1 parent 5b122c2
commit 67d666a
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 15 deletions.
diff --git a/Gemfile b/Gemfile
@@ -40,8 +40,9 @@ gem "vite_rails", "3.0.12"
 gem "whenever"
 
 # Reference: https://github.com/pulibrary/pul-the-hard-way/blob/main/services/cas.md
-gem "devise"
-gem "omniauth-cas"
+gem "devise", "~> 4.9"
+gem "omniauth", "~> 2.1", ">= 2.1.2"
+gem "omniauth-cas", "~> 3.0"
 
 # Use Active Storage variant
 # gem 'image_processing', '~> 1.2'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -115,7 +115,7 @@ GEM
       descendants_tracker (~> 0.0.4)
       ice_nine (~> 0.11.0)
       thread_safe (~> 0.3, >= 0.3.1)
-    bcrypt (3.1.17)
+    bcrypt (3.1.20)
     bcrypt_pbkdf (1.1.0)
     bindex (0.8.1)
     bixby (4.0.0)
@@ -180,7 +180,7 @@ GEM
     debase-ruby_core_source (3.2.0)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    devise (4.8.1)
+    devise (4.9.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -303,13 +303,14 @@ GEM
       racc (~> 1.4)
     nokogiri (1.16.5-x86_64-linux)
       racc (~> 1.4)
-    omniauth (1.9.2)
+    omniauth (2.1.2)
       hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
-    omniauth-cas (2.0.0)
-      addressable (~> 2.3)
-      nokogiri (~> 1.5)
-      omniauth (~> 1.2)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-cas (3.0.0)
+      addressable (~> 2.8)
+      nokogiri (~> 1.12)
+      omniauth (~> 2.1)
     orm_adapter (0.5.0)
     parallel (1.22.1)
     parser (3.1.2.0)
@@ -377,9 +378,9 @@ GEM
     redis-client (0.22.1)
       connection_pool
     regexp_parser (2.8.1)
-    responders (3.0.1)
-      actionpack (>= 5.0)
-      railties (>= 5.0)
+    responders (3.1.1)
+      actionpack (>= 5.2)
+      railties (>= 5.2)
     retryable (3.0.5)
     rexml (3.2.8)
       strscan (>= 3.0.9)
@@ -569,7 +570,7 @@ DEPENDENCIES
   datacite!
   datacite-mapping
   ddtrace
-  devise
+  devise (~> 4.9)
   dogstatsd-ruby
   ed25519
   equivalent-xml (~> 0.6.0)
@@ -592,7 +593,8 @@ DEPENDENCIES
   net-smtp
   net-ssh (= 7.0.0.beta1)
   nokogiri (>= 1.13.4)
-  omniauth-cas
+  omniauth (~> 2.1, >= 2.1.2)
+  omniauth-cas (~> 3.0)
   pg
   pry-byebug
   pry-rails

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -290,6 +290,8 @@
 
   ## For CAS
   config.omniauth :cas, host: "fed.princeton.edu", url: "https://fed.princeton.edu/cas"
+  OmniAuth.config.allowed_request_methods = [:get, :post]
+  OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(allow_if: ->(_env) { true })
 
   # ==> Mountable engine configurations
   # When using Devise inside an engine, let's call it `MyEngine`, and this engine