I'm using Devise with Omniauth. It doesn't seem possible to restrict the initial user auth requests to only GET's or only POST's. Is it? (My goal is to block GET requests so that only CSRF-tokened posts get through.
Currently I'm testing manually adding the routes with GET requests, but I'm getting 404's.
my routes.rb:
devise_for :users, only: '', controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
as :user do
# only handle GET
get 'users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize
end
I'm getting this in my rails logs:
Started GET "/users/auth/facebook" for 127.0.0.1 at 2017-01-19 19:18:56 -0500
Processing by Users::OmniauthCallbacksController#passthru as HTML
Parameters: {"provider"=>"facebook"}
Rendering 404: Not Found