How can I block Omniauth GET requests?

97 views

Skip to first unread message

ev...@codecademy.com

unread,

Jan 20, 2017, 11:52:19 AM1/20/17

to Devise

I'm using Devise with Omniauth. It doesn't seem possible to restrict the initial user auth requests to only GET's or only POST's. Is it? (My goal is to block GET requests so that only CSRF-tokened posts get through.

Currently I'm testing manually adding the routes with GET requests, but I'm getting 404's.

my routes.rb:

devise_for :users, only: '', controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
  as :user do
    # only handle GET
    get 'users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize
  end

I'm getting this in my rails logs:

Started GET "/users/auth/facebook" for 127.0.0.1 at 2017-01-19 19:18:56 -0500
Processing by Users::OmniauthCallbacksController#passthru as HTML
  Parameters: {"provider"=>"facebook"}
Rendering 404: Not Found

ev...@codecademy.com

unread,

Jan 20, 2017, 11:53:16 AM1/20/17

to Devise

Devise: 3.5.2

Omniauth: 1.2.1

Reply all

Reply to author

Forward

0 new messages