Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

developer strategy: ActionController::InvalidAuthenticityToken in SessionsController#create #957

Closed
bingUSE opened this issue May 6, 2019 · 1 comment · Fixed by #1106
Closed

developer strategy: ActionController::InvalidAuthenticityToken in SessionsController#create #957

bingUSE opened this issue May 6, 2019 · 1 comment · Fixed by #1106

Comments

@bingUSE
Copy link

bingUSE commented May 6, 2019

Please complete all sections.

Configuration

  • Provider Gem: omniauth* #.lock shows omniauth (1.9.0)
  • Ruby Version: 2.4.0
  • Framework: 'rails', '4.2.10'
  • Platform: ubuntu #on cloud 9 ide

Expected Behavior

Using develper strategy, callback should be provided with valid token

Actual Behavior

Goes to auth/developer login form correctly, but then raises following error instead of returning to auth/developer/callback which routes to sessions#create:
ActionController::InvalidAuthenticityToken in SessionsController#create
ActionController::InvalidAuthenticityToken

Steps to Reproduce

Register or Log In with Developer
Click on above link which is on login page.

Register or Log In with GitHub
Register or Log In with Facebook
Other links work normally, also passes Cucumber tests in test mode.
Only problem is that I need to do an end run on actual authentication while I'm in develper mode so actual providers aren't abused.

Let me know which files I should include.
@rosewcs345
Copy link

I found this in another section of the Wiki:
Rails session is clobbered after callback on Developer strategy
The developer strategy callback is sent using POST request. Disable forgery protection for given action, otherwise session will be clobbered by rails.

skip_before_action :verify_authenticity_token, only: :create

Is this before_action being handled by omniauth itself, or should I add it to my controllers when NOT in developer mode?
It looks as though this scheme works by just adding that line in developer mode, and deleting it in production, which seems pretty unreliable. Is there a way to enforce it automatically instead?

cycomachead added a commit to cycomachead/omniauth that referenced this issue Mar 3, 2023
@cycomachead
Use GET with :developer strategy.
480a2ff 
The changes the default method of the :developer strategy to GET.
It does this by allowing OmniAuth::Form to accept a `:method` option,
which is optional and defaults to 'post', the current behavior.
Because the default behavior remains unchanged, I don't expect this to
introduct any breaking changes.

This allows the developer strategy to work with the directions provided
in the README. Further, it seems that the default action of most
stratigies is to use GET for their callbacks.

Fixes omniauth#1087
Fixes omniauth#1061
Fixes omniauth#957
This was referenced Mar 3, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@rosewcs345 @bingUSE