CVE-2015-9284: follow-up for restoring single authentication method a…

…nd LDAP (bigbluebutton#3376)

* CVE-2015-9284: follow-up for resotoring single authentication method and ldap

* CVE-2015-9284: follow-up for resotoring ldap

Gemfile

@@ -40,6 +40,7 @@ gem 'random_password', '~> 0.1.1'
 gem "recaptcha", '~> 5.7.0'
 gem 'redcarpet', '~> 3.5.1'
 gem 'remote_syslog_logger', '~> 1.0.4'
+gem 'repost', '~> 0.3.8'
 gem 'rubocop', '~> 1.10.0'
 gem 'sassc-rails', '~> 2.1.2'
 gem 'sprockets', '~> 3.7.2'

Gemfile.lock

@@ -341,6 +341,7 @@ GEM
     regexp_parser (2.1.1)
     remote_syslog_logger (1.0.4)
       syslog_protocol
+    repost (0.3.8)
     representable (3.0.4)
       declarative (< 0.1.0)
       declarative-option (< 0.2.0)
@@ -508,6 +509,7 @@ DEPENDENCIES
   redcarpet (~> 3.5.1)
   redis (~> 4.2.5)
   remote_syslog_logger (~> 1.0.4)
+  repost (~> 0.3.8)
   rspec-rails (~> 3.7)
   rubocop (~> 1.10.0)
   sassc-rails (~> 2.1.2)

app/controllers/sessions_controller.rb

@@ -39,7 +39,7 @@ def signin
         "#{Rails.configuration.relative_url_root}/auth/#{@providers.first}"
       end
 
-      redirect_to provider_path
+      redirect_post(provider_path, options: { authenticity_token: :auto })
     end
   end
 

config/routes.rb

@@ -28,7 +28,7 @@
   get '/signin', to: 'sessions#signin', as: :signin
   get '/signup', to: 'sessions#new', as: :signup
   post '/signup', to: 'users#create', as: :create_user
-  get '/ldap_signin', to: 'sessions#ldap_signin', as: :ldap_signin
+  match '/ldap_signin', to: 'sessions#ldap_signin', as: :ldap_signin, via: [:get, :post]
 
   # Redirect to terms page
   match '/terms', to: 'users#terms', via: [:get, :post]