diff --git a/Gemfile b/Gemfile index 70b3a40a7..bd050109c 100644 --- a/Gemfile +++ b/Gemfile @@ -22,7 +22,6 @@ gem 'net-smtp', '~> 0.5.1' gem 'omniauth', '~> 2.1.4' gem 'omniauth-identity', '~> 3.1', '>= 3.1.5' gem 'omniauth-oauth2', '~> 1.9.0' -gem 'omniauth-rails_csrf_protection', '~> 2.0', '>= 2.0.1' gem 'paper_trail', '~> 17.0.0' gem 'paranoia', '~> 3.1.0' gem 'pg', '~> 1.6.2' diff --git a/config/application.rb b/config/application.rb index f0db2030c..9883b0502 100644 --- a/config/application.rb +++ b/config/application.rb @@ -30,8 +30,7 @@ class Application < Rails::Application config.cache_store = :redis_cache_store, { url: Rails.application.config_for(:cable)['url'], - pool_size: ENV.fetch('RAILS_MAX_THREADS', 5).to_i, - pool_timeout: 5 + pool: { size: ENV.fetch('RAILS_MAX_THREADS', 5).to_i, timeout: 5 } } config.active_job.queue_adapter = :sidekiq diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 3e50ba52f..39ef7ee46 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -12,6 +12,9 @@ # ==> OmniAuth require_dependency Rails.root.join('config', 'initializers', 'omniauth_strategies', 'amber_oauth2.rb') + # CSRF protection (built-in solution for CVE-2015-9284) + OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection.new(key: :_csrf_token) + config.omniauth :amber_oauth2, Rails.application.config.x.amber_client_id, Rails.application.config.x.amber_client_secret config.omniauth :identity, model: SofiaAccount, fields: %i[username user_id], diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb index 7cdad9c3e..7b9edb7b0 100644 --- a/config/initializers/sidekiq.rb +++ b/config/initializers/sidekiq.rb @@ -2,14 +2,14 @@ if redis_url Sidekiq.configure_server do |config| - config.redis = { + config.redis = { url: redis_url, pool_timeout: 5 } end Sidekiq.configure_client do |config| - config.redis = { + config.redis = { url: redis_url, pool_timeout: 5 }