Allow PATCH for OmniAuth requests

This is required to allow the account settings screen, which now
uses the PATCH verb, to redirect to OmniAuth when the external
authentication provider is changed.

As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which
is the reason for requiring POST and most importantly got not
allowing GET requests to OmniAuth.

diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 7889fca815b8aab7387efecc792c91b19ef30489..dd69aba8348190bf02b2da556d960f269b9e0f5f 100644 (file)
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -8,6 +8,7 @@ OpenID::Util.logger = Rails.logger
 
 OmniAuth.config.logger = Rails.logger
 OmniAuth.config.failure_raise_out_environments = []
+OmniAuth.config.allowed_request_methods = [:post, :patch]
 
 if Settings.key?(:memcache_servers)
   require "openid/store/memcache"

diff --git a/config/routes.rb b/config/routes.rb
index 2983fea55c46f6cc2157342dfe9b25de0cd384e5..ade101821541f4b58ef63ab086e87b75ea5cacb7 100644 (file)
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -178,7 +178,7 @@ OpenStreetMap::Application.routes.draw do
   # omniauth
   get "/auth/failure" => "users#auth_failure"
   match "/auth/:provider/callback" => "users#auth_success", :via => [:get, :post], :as => :auth_success
-  post "/auth/:provider" => "users#auth", :as => :auth
+  match "/auth/:provider" => "users#auth", :via => [:post, :patch], :as => :auth
 
   # permalink
   get "/go/:code" => "site#permalink", :code => /[a-zA-Z0-9_@~]+[=-]*/, :as => :permalink