This is required to allow the account settings screen, which now
uses the PATCH verb, to redirect to OmniAuth when the external
authentication provider is changed.
As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which
is the reason for requiring POST and most importantly got not
allowing GET requests to OmniAuth.
OmniAuth.config.logger = Rails.logger
OmniAuth.config.failure_raise_out_environments = []
OmniAuth.config.logger = Rails.logger
OmniAuth.config.failure_raise_out_environments = []
+OmniAuth.config.allowed_request_methods = [:post, :patch]
if Settings.key?(:memcache_servers)
require "openid/store/memcache"
if Settings.key?(:memcache_servers)
require "openid/store/memcache"
# omniauth
get "/auth/failure" => "users#auth_failure"
match "/auth/:provider/callback" => "users#auth_success", :via => [:get, :post], :as => :auth_success
# omniauth
get "/auth/failure" => "users#auth_failure"
match "/auth/:provider/callback" => "users#auth_success", :via => [:get, :post], :as => :auth_success
- post "/auth/:provider" => "users#auth", :as => :auth
+ match "/auth/:provider" => "users#auth", :via => [:post, :patch], :as => :auth
# permalink
get "/go/:code" => "site#permalink", :code => /[a-zA-Z0-9_@~]+[=-]*/, :as => :permalink
# permalink
get "/go/:code" => "site#permalink", :code => /[a-zA-Z0-9_@~]+[=-]*/, :as => :permalink