omniauth: protect against CSRF (#4102)

Configure OmniAuth pour éviter de potentielles CSRF

Gemfile

@@ -39,6 +39,7 @@ gem 'lograge'
 gem 'logstash-event'
 gem 'mailjet'
 gem 'omniauth-github'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 gem 'openid_connect'
 gem 'openstack'
 gem 'pg'

Gemfile.lock

@@ -386,6 +386,9 @@ GEM
     omniauth-oauth2 (1.6.0)
       oauth2 (~> 1.1)
       omniauth (~> 1.9)
+    omniauth-rails_csrf_protection (0.1.2)
+      actionpack (>= 4.2)
+      omniauth (>= 1.3.1)
     open4 (1.3.4)
     openid_connect (1.1.6)
       activemodel
@@ -731,6 +734,7 @@ DEPENDENCIES
   mailjet
   mina!
   omniauth-github
+  omniauth-rails_csrf_protection (~> 0.1)
   openid_connect
   openstack
   pg

app/views/administrations/sessions/new.html.haml

@@ -1,6 +1,6 @@
 .super-admin.flex.justify-center
   %div
     %h2 Espace Admin
-    = link_to administration_github_omniauth_authorize_path, class: "button large" do
+    = link_to administration_github_omniauth_authorize_path, method: :post, class: "button large" do
       %span.icon.lock
       Connexion avec GitHub

config/initializers/omniauth.rb

@@ -0,0 +1,4 @@
+# OmniAuth GET requests may be vulnerable to CSRF.
+# Ensure that OmniAuth only uses POST requests.
+# See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+OmniAuth.config.allowed_request_methods = [:post]