From: Tom Hughes Date: Mon, 27 Dec 2021 10:25:44 +0000 (+0000) Subject: Allow PATCH for OmniAuth requests X-Git-Tag: live~1949 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/b0288b83bb437bbfc0deb325cca142066dc9848b?ds=sidebyside Allow PATCH for OmniAuth requests This is required to allow the account settings screen, which now uses the PATCH verb, to redirect to OmniAuth when the external authentication provider is changed. As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which is the reason for requiring POST and most importantly got not allowing GET requests to OmniAuth. --- diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb index 7889fca81..dd69aba83 100644 --- a/config/initializers/omniauth.rb +++ b/config/initializers/omniauth.rb @@ -8,6 +8,7 @@ OpenID::Util.logger = Rails.logger OmniAuth.config.logger = Rails.logger OmniAuth.config.failure_raise_out_environments = [] +OmniAuth.config.allowed_request_methods = [:post, :patch] if Settings.key?(:memcache_servers) require "openid/store/memcache" diff --git a/config/routes.rb b/config/routes.rb index 2983fea55..ade101821 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -178,7 +178,7 @@ OpenStreetMap::Application.routes.draw do # omniauth get "/auth/failure" => "users#auth_failure" match "/auth/:provider/callback" => "users#auth_success", :via => [:get, :post], :as => :auth_success - post "/auth/:provider" => "users#auth", :as => :auth + match "/auth/:provider" => "users#auth", :via => [:post, :patch], :as => :auth # permalink get "/go/:code" => "site#permalink", :code => /[a-zA-Z0-9_@~]+[=-]*/, :as => :permalink