test/integration/omniauthable_test.rb · main · Rails relative code / devise-deleted-32

Jul 07, 2022

Use Omniauth.allowed_methods' as routing verbs for the auth path: · 4f822356

Edouard CHIN authored Jul 07, 2022

- ### Context

  Since version 2.0.0, Omniauth no longer recognizes `GET` request
  on the auth path (`/users/auth/<provider>`). `POST` is the only
  verb that is by default recognized in order to mitigate CSRF
  attack. https://github.com/omniauth/omniauth/blob/66110da85e3106d9c9b138d384267a9397c75fe7/lib/omniauth/strategy.rb#L205

  Ultimatelly, when a user try to access `GET /users/auth/facebook`,
  Devise [passthru action](https://github.com/heartcombo/devise/blob/6d32d2447cc0f3739d9732246b5a5bde98d9e032/app/controllers/devise/omniauth_callbacks_controller.rb#L6)
  will be called which just return a raw 404 page.

  ### Problem

  There is no problem per se and everything work. However the
  advantage of not matching GET request at the router layer allows
  to get that same 404 page stylized for "free" (Rails ending up
  rendering the 404 page of the app).

  I believe it's also more consistent and less surprising for users
  if this passthru action don't get called.

  ### Drawback

  An application can no longer override the `passthru` to perform
  the logic it wants (i.e. redirect the user).

  If this is a dealbreaker, feel free to close this PR :).

4f822356

Use Omniauth.allowed_methods' as routing verbs for the auth path:

Edouard CHIN authored Jul 07, 2022

- ### Context

  Since version 2.0.0, Omniauth no longer recognizes `GET` request
  on the auth path (`/users/auth/<provider>`). `POST` is the only
  verb that is by default recognized in order to mitigate CSRF
  attack. https://github.com/omniauth/omniauth/blob/66110da85e3106d9c9b138d384267a9397c75fe7/lib/omniauth/strategy.rb#L205

  Ultimatelly, when a user try to access `GET /users/auth/facebook`,
  Devise [passthru action](https://github.com/heartcombo/devise/blob/6d32d2447cc0f3739d9732246b5a5bde98d9e032/app/controllers/devise/omniauth_callbacks_controller.rb#L6)
  will be called which just return a raw 404 page.

  ### Problem

  There is no problem per se and everything work. However the
  advantage of not matching GET request at the router layer allows
  to get that same 404 page stylized for "free" (Rails ending up
  rendering the 404 page of the app).

  I believe it's also more consistent and less surprising for users
  if this passthru action don't get called.

  ### Drawback

  An application can no longer override the `passthru` to perform
  the logic it wants (i.e. redirect the user).

  If this is a dealbreaker, feel free to close this PR :).