mirror of
https://github.com/heartcombo/devise.git
synced 2026-01-08 22:37:57 -05:00
4f82235630
- ### Context Since version 2.0.0, Omniauth no longer recognizes `GET` request on the auth path (`/users/auth/<provider>`). `POST` is the only verb that is by default recognized in order to mitigate CSRF attack.66110da85e/lib/omniauth/strategy.rb (L205)Ultimatelly, when a user try to access `GET /users/auth/facebook`, Devise [passthru action](6d32d2447c/app/controllers/devise/omniauth_callbacks_controller.rb (L6)) will be called which just return a raw 404 page. ### Problem There is no problem per se and everything work. However the advantage of not matching GET request at the router layer allows to get that same 404 page stylized for "free" (Rails ending up rendering the 404 page of the app). I believe it's also more consistent and less surprising for users if this passthru action don't get called. ### Drawback An application can no longer override the `passthru` to perform the logic it wants (i.e. redirect the user). If this is a dealbreaker, feel free to close this PR :).