Allow PATCH for OmniAuth requests
This is required to allow the account settings screen, which now uses the PATCH verb, to redirect to OmniAuth when the external authentication provider is changed. As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which is the reason for requiring POST and most importantly got not allowing GET requests to OmniAuth.
This commit is contained in:
Tom Hughes
parent
f1e0212af3
commit
b0288b83bb
2 changed files with 2 additions and 1 deletions
|
|
@ -8,6 +8,7 @@ OpenID::Util.logger = Rails.logger
|
|||
|
||||
OmniAuth.config.logger = Rails.logger
|
||||
OmniAuth.config.failure_raise_out_environments = []
|
||||
OmniAuth.config.allowed_request_methods = [:post, :patch]
|
||||
|
||||
if Settings.key?(:memcache_servers)
|
||||
require "openid/store/memcache"
|
||||
|
|
|
|||
|
|
@ -178,7 +178,7 @@ OpenStreetMap::Application.routes.draw do
|
|||
# omniauth
|
||||
get "/auth/failure" => "users#auth_failure"
|
||||
match "/auth/:provider/callback" => "users#auth_success", :via => [:get, :post], :as => :auth_success
|
||||
post "/auth/:provider" => "users#auth", :as => :auth
|
||||
match "/auth/:provider" => "users#auth", :via => [:post, :patch], :as => :auth
|
||||
|
||||
# permalink
|
||||
get "/go/:code" => "site#permalink", :code => /[a-zA-Z0-9_@~]+[=-]*/, :as => :permalink
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue