2

I'm trying to allow my users to login with their Google accounts using devise, omniauth and devise-token-auth. To do so I have added the following code to the rails API-only boilerplate.

# Gemfile

...

# authentication
gem 'devise', '~> 4.7'
gem 'devise_token_auth', git: 'https://github.com/lynndylanhurley/devise_token_auth'
gem 'omniauth', '~> 1.9.1'
gem 'omniauth-google-oauth2

...

# config/initializers/omniauth.rb

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end

# config/routes.rb

Rails.application.routes.draw do
  root 'application#home'

  mount_devise_token_auth_for 'User', at: 'auth'
end

For the frontend I use j-toker and have set it up as follows

Auth.configure({
  apiUrl: `http://localhost:8000/`,
  authProviderPaths: {
    google: `/auth/google_oauth2`,
  },
});

When the user clicks on the login with google button I then call

Auth.oAuthSignIn({ provider: `google` }).then(() => {
    // handle result
});

The Issue: When the user clicks on the login button, a new tab opens up with the rails error message No route matches [GET] "/omniauth/google_oauth2"

It seems like /auth/google_oauth2 redirects to /omniauth/google_oauth2 but the /omniauth/:provider path doesn't exist

The output of rails routes is as follows:

                                  Prefix Verb     URI Pattern                                                                                       Controller#Action
                                    root GET      /                                                                                                 application#home
                        new_user_session GET      /auth/sign_in(.:format)                                                                           devise_token_auth/sessions#new
                            user_session POST     /auth/sign_in(.:format)                                                                           devise_token_auth/sessions#create
                    destroy_user_session DELETE   /auth/sign_out(.:format)                                                                          devise_token_auth/sessions#destroy
                       new_user_password GET      /auth/password/new(.:format)                                                                      devise_token_auth/passwords#new
                      edit_user_password GET      /auth/password/edit(.:format)                                                                     devise_token_auth/passwords#edit
                           user_password PATCH    /auth/password(.:format)                                                                          devise_token_auth/passwords#update
                                         PUT      /auth/password(.:format)                                                                          devise_token_auth/passwords#update
                                         POST     /auth/password(.:format)                                                                          devise_token_auth/passwords#create
                cancel_user_registration GET      /auth/cancel(.:format)                                                                            devise_token_auth/registrations#cancel
                   new_user_registration GET      /auth/sign_up(.:format)                                                                           devise_token_auth/registrations#new
                  edit_user_registration GET      /auth/edit(.:format)                                                                              devise_token_auth/registrations#edit
                       user_registration PATCH    /auth(.:format)                                                                                   devise_token_auth/registrations#update
                                         PUT      /auth(.:format)                                                                                   devise_token_auth/registrations#update
                                         DELETE   /auth(.:format)                                                                                   devise_token_auth/registrations#destroy
                                         POST     /auth(.:format)                                                                                   devise_token_auth/registrations#create
                     auth_validate_token GET      /auth/validate_token(.:format)                                                                    devise_token_auth/token_validations#validate_token
                            auth_failure GET      /auth/failure(.:format)                                                                           users/omniauth_callbacks#omniauth_failure
                                         GET      /auth/:provider/callback(.:format)                                                                users/omniauth_callbacks#omniauth_success
                                         GET|POST /omniauth/:provider/callback(.:format)                                                            users/omniauth_callbacks#redirect_callbacks
                        omniauth_failure GET|POST /omniauth/failure(.:format)                                                                       users/omniauth_callbacks#omniauth_failure
                                         GET      /auth/:provider(.:format)                                                                         redirect(301)

As you can see the /omniauth/:provider route doesn't even exist... Any idea what the Issue is?

Gumbee
  • 53
  • 1
  • 5

1 Answers1

0

Placing OmniAuth.config.allowed_request_methods = [:get] in the omniauth initializer fixed this issue for me.

Like this:

Rails.application.config.middleware.use OmniAuth::Builder do
  OmniAuth.config.allowed_request_methods = [:get]
  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end

However, it must be noted that allowing GET requests gives the following warning:

You are using GET as an allowed request method for OmniAuth. This may leave
  you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
  to its own routes. You should review the following resources to guide your
  mitigation:
  https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
  https://github.com/omniauth/omniauth/issues/960
  https://nvd.nist.gov/vuln/detail/CVE-2015-9284
  https://github.com/omniauth/omniauth/pull/809

  You can ignore this warning by setting:
  OmniAuth.config.silence_get_warning = true

So its probably best to only allow POST requests

gmm
  • 943
  • 1
  • 17
  • 30