Merge pull request #5508 from Edouard-chin/ec-omniauth-allowed-methods

Use Omniauth.allowed_methods' as routing verbs for the auth path:
heartcombo · Jun 9, 2023 · 1b0ef1d · 1b0ef1d
2 parents 8bb41ad + 4f82235
commit 1b0ef1d
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/lib/devise/rails/routes.rb b/lib/devise/rails/routes.rb
@@ -447,7 +447,7 @@ def devise_omniauth_callback(mapping, controllers) #:nodoc:
           match "#{path_prefix}/#{provider}",
             to: "#{controllers[:omniauth_callbacks]}#passthru",
             as: "#{provider}_omniauth_authorize",
-            via: [:get, :post]
+            via: OmniAuth.config.allowed_request_methods
 
           match "#{path_prefix}/#{provider}/callback",
             to: "#{controllers[:omniauth_callbacks]}##{provider}",

diff --git a/test/integration/omniauthable_test.rb b/test/integration/omniauthable_test.rb
@@ -126,6 +126,28 @@ def stub_action!(name)
     end
   end
 
+  test "authorization path via GET when Omniauth allowed_request_methods includes GET" do
+    original_allowed = OmniAuth.config.allowed_request_methods
+    OmniAuth.config.allowed_request_methods = [:get, :post]
+
+    get "/users/auth/facebook"
+
+    assert_response(:redirect)
+  ensure
+    OmniAuth.config.allowed_request_methods = original_allowed
+  end
+
+  test "authorization path via GET when Omniauth allowed_request_methods doesn't include GET" do
+    original_allowed = OmniAuth.config.allowed_request_methods
+    OmniAuth.config.allowed_request_methods = [:post]
+
+    assert_raises(ActionController::RoutingError) do
+      get "/users/auth/facebook"
+    end
+  ensure
+    OmniAuth.config.allowed_request_methods = original_allowed
+  end
+
   test "generates a link to authenticate with provider" do
     visit "/users/sign_in"
     assert_select "form[action=?][method=post]", "/users/auth/facebook" do