From 67d666a0f3272621cc91605348d5ee70c08cf447 Mon Sep 17 00:00:00 2001
From: "James R. Griffin III" <1443986+jrgriffiniii@users.noreply.github.com>
Date: Mon, 17 Jun 2024 09:07:29 -0400
Subject: [PATCH] Upgrading devise to releases 4.9 and omniauth releases 2.1
 (#1839)

Co-authored-by: Bess Sadler <bess.sadler@princeton.edu>
---
 Gemfile                       |  5 +++--
 Gemfile.lock                  | 28 +++++++++++++++-------------
 config/initializers/devise.rb |  2 ++
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/Gemfile b/Gemfile
index b68995ad1..1149f332b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -40,8 +40,9 @@ gem "vite_rails", "3.0.12"
 gem "whenever"
 
 # Reference: https://github.com/pulibrary/pul-the-hard-way/blob/main/services/cas.md
-gem "devise"
-gem "omniauth-cas"
+gem "devise", "~> 4.9"
+gem "omniauth", "~> 2.1", ">= 2.1.2"
+gem "omniauth-cas", "~> 3.0"
 
 # Use Active Storage variant
 # gem 'image_processing', '~> 1.2'
diff --git a/Gemfile.lock b/Gemfile.lock
index f32bb4af8..c654d4fa6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -115,7 +115,7 @@ GEM
       descendants_tracker (~> 0.0.4)
       ice_nine (~> 0.11.0)
       thread_safe (~> 0.3, >= 0.3.1)
-    bcrypt (3.1.17)
+    bcrypt (3.1.20)
     bcrypt_pbkdf (1.1.0)
     bindex (0.8.1)
     bixby (4.0.0)
@@ -180,7 +180,7 @@ GEM
     debase-ruby_core_source (3.2.0)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
-    devise (4.8.1)
+    devise (4.9.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -303,13 +303,14 @@ GEM
       racc (~> 1.4)
     nokogiri (1.16.5-x86_64-linux)
       racc (~> 1.4)
-    omniauth (1.9.2)
+    omniauth (2.1.2)
       hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
-    omniauth-cas (2.0.0)
-      addressable (~> 2.3)
-      nokogiri (~> 1.5)
-      omniauth (~> 1.2)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-cas (3.0.0)
+      addressable (~> 2.8)
+      nokogiri (~> 1.12)
+      omniauth (~> 2.1)
     orm_adapter (0.5.0)
     parallel (1.22.1)
     parser (3.1.2.0)
@@ -377,9 +378,9 @@ GEM
     redis-client (0.22.1)
       connection_pool
     regexp_parser (2.8.1)
-    responders (3.0.1)
-      actionpack (>= 5.0)
-      railties (>= 5.0)
+    responders (3.1.1)
+      actionpack (>= 5.2)
+      railties (>= 5.2)
     retryable (3.0.5)
     rexml (3.2.8)
       strscan (>= 3.0.9)
@@ -569,7 +570,7 @@ DEPENDENCIES
   datacite!
   datacite-mapping
   ddtrace
-  devise
+  devise (~> 4.9)
   dogstatsd-ruby
   ed25519
   equivalent-xml (~> 0.6.0)
@@ -592,7 +593,8 @@ DEPENDENCIES
   net-smtp
   net-ssh (= 7.0.0.beta1)
   nokogiri (>= 1.13.4)
-  omniauth-cas
+  omniauth (~> 2.1, >= 2.1.2)
+  omniauth-cas (~> 3.0)
   pg
   pry-byebug
   pry-rails
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 2396d1e56..917ef4528 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -290,6 +290,8 @@
 
   ## For CAS
   config.omniauth :cas, host: "fed.princeton.edu", url: "https://fed.princeton.edu/cas"
+  OmniAuth.config.allowed_request_methods = [:get, :post]
+  OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(allow_if: ->(_env) { true })
 
   # ==> Mountable engine configurations
   # When using Devise inside an engine, let's call it `MyEngine`, and this engine