How can I block Omniauth GET requests?

Skip to first unread message

Jan 20, 2017, 11:52:19 AM1/20/17
to Devise
I'm using Devise with Omniauth. It doesn't seem possible to restrict the initial user auth requests to only GET's or only POST's. Is it? (My goal is to block GET requests so that only CSRF-tokened posts get through.

Currently I'm testing manually adding the routes with GET requests, but I'm getting 404's.

my routes.rb:

devise_for :users, only: '', controllers: { omniauth_callbacks: 'users/omniauth_callbacks' }
  as :user do
    # only handle GET
    get 'users/auth/:provider', to: 'users/omniauth_callbacks#passthru', as: :user_omniauth_authorize

I'm getting this in my rails logs:

Started GET "/users/auth/facebook" for at 2017-01-19 19:18:56 -0500
Processing by Users::OmniauthCallbacksController#passthru as HTML
  Parameters: {"provider"=>"facebook"}
Rendering 404: Not Found

Jan 20, 2017, 11:53:16 AM1/20/17
to Devise
Devise: 3.5.2
Omniauth: 1.2.1
Reply all
Reply to author
0 new messages