upgrade to omniauth-cas 3.0

anarchivist · anarchivist · commit bc630562c1f6 · 2025-12-03T09:52:32.000-08:00
omniauth-cas now requires a switch from a GET to POST, which leads us to need to modify how our
login links exist and are styled (i.e., they are no longer truly links but rather forms).
diff --git a/Gemfile b/Gemfile
@@ -13,7 +13,8 @@ gem 'jbuilder', '~> 2.13'
 gem 'nokogiri', '~> 1.18'
 # gem 'non-stupid-digest-assets', '~> 1.0' # Allow static pages (e.g. 404.html) to link to compiled assets
 gem 'okcomputer', '~> 1.19'
-gem 'omniauth-cas', '~> 2.0'
+gem 'omniauth-cas', '~> 3.0'
+gem 'omniauth-rails_csrf_protection', '~> 1.0'
 gem 'puma', '~> 5.3', '>= 5.3.1'
 gem 'rails', '~> 8.0.4'
 gem 'rest-client', '~> 2.1'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -72,8 +72,8 @@ GEM
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
       uri (>= 0.13.1)
-    addressable (2.8.5)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
     amazing_print (1.5.0)
     ast (2.4.3)
     base64 (0.3.0)
@@ -208,13 +208,18 @@ GEM
     oj (3.16.1)
     okcomputer (1.19.1)
       benchmark
-    omniauth (1.9.2)
+    omniauth (2.1.4)
       hashie (>= 3.4.6)
-      rack (>= 1.6.2, < 3)
-    omniauth-cas (2.0.0)
-      addressable (~> 2.3)
-      nokogiri (~> 1.5)
-      omniauth (~> 1.2)
+      logger
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-cas (3.0.2)
+      addressable (~> 2.8)
+      nokogiri (~> 1.12)
+      omniauth (~> 2.1)
+    omniauth-rails_csrf_protection (1.0.2)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
     ougai (2.0.0)
       oj (~> 3.10)
     parallel (1.27.0)
@@ -229,11 +234,14 @@ GEM
     psych (5.2.6)
       date
       stringio
-    public_suffix (5.0.3)
+    public_suffix (7.0.0)
     puma (5.6.7)
       nio4r (~> 2.0)
-    racc (1.7.1)
-    rack (2.2.8)
+    racc (1.8.1)
+    rack (2.2.21)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
     rack-session (1.0.2)
       rack (< 3)
     rack-test (2.1.0)
@@ -428,7 +436,8 @@ DEPENDENCIES
   listen (>= 3.0)
   nokogiri (~> 1.18)
   okcomputer (~> 1.19)
-  omniauth-cas (~> 2.0)
+  omniauth-cas (~> 3.0)
+  omniauth-rails_csrf_protection (~> 1.0)
   puma (~> 5.3, >= 5.3.1)
   rails (~> 8.0.4)
   rest-client (~> 2.1)
diff --git a/app/assets/stylesheets/includes/main.scss b/app/assets/stylesheets/includes/main.scss
@@ -97,7 +97,7 @@ header {
     }
 
     ul {
-      a {
+      a, button.calnet_login {
         color: black;
 
         &:hover {
@@ -226,7 +226,7 @@ section {
       }
     }
 
-    a {
+    a, button.calnet_login {
       &:hover {
         box-shadow: inset 0 -4px 0 $color-anchor-highlight;
       }
@@ -257,6 +257,16 @@ section {
   }
 
   &.restricted {
+    form {
+      button.calnet_login {
+        box-shadow: inset 0 -4pxq 0 $color-anchor-highlight;
+
+        &:hover {
+          background: $color-anchor-highlight;
+          border: 1px solid $color-anchor-highlight;
+        }
+      }
+    }
     p {
       a {
         box-shadow: inset 0 -4px 0 $color-anchor-highlight;
@@ -398,3 +408,13 @@ span {
 
   // sass-lint:enable class-name-format
 }
+
+button.calnet_login {
+  background: inherit;
+  margin: inherit;
+  border: none;
+  line-height: inherit;
+  font-family: inherit;
+  font-size: inherit;
+  text-decoration: inherit;
+}
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -8,7 +8,9 @@ def logout_link(text = 'CalNet Logout')
   end
 
   def login_link(text = 'CalNet Login')
-    link_to(text, login_path(url: request.original_url))
+    form_tag('/auth/calnet', url: request.original_url, method: 'post', data: { turbo: false }) do
+      button_tag text, class: 'calnet_login'
+    end
   end
 
   def vpn_link
diff --git a/app/views/player/access_restricted.erb b/app/views/player/access_restricted.erb
@@ -2,7 +2,7 @@
 <%
   calnet_only = record&.calnet_only?
   access_methods = [].tap do |mm|
-    mm << login_link('log in with CalNet') unless authenticated?
+    mm << login_link('Log in with CalNet') unless authenticated?
     mm << vpn_link unless calnet_only || ucb_request?
   end
 %>
diff --git a/spec/support/authz_shared_examples.rb b/spec/support/authz_shared_examples.rb
@@ -28,7 +28,7 @@
     expect(page).to have_content(record_id)
 
     show_url = player_url(collection:, record_id:)
-    expect(page).to have_link(href: login_path(url: show_url))
+    expect(page).to have_css('button.calnet_login')
   end
 end
 
