If the use of GET requests to /auth/:provider is essential for your application (for example, if you are ever redirecting to /auth/:provider as part of an authentication process), then you will need to put together a more involved solution for your specific needs. This may mean redirecting to a standard log-in screen which includes link_to 'Log in', '/auth/:provider', method: :post or another POST/form-based approach (like button_to).
This change is required to use omniauth-rails_csrf_protection gem securely because the gem doesn't allow GET request for /auth/:provider by default.
I've confirmed that the sign-in button works with this patch.
This patch replaces a link (
<a>
) to Google OAuth2 with<form>
and<button>
to use POST request.It is the recommended way by omniauth documentation. see https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
This change is required to use omniauth-rails_csrf_protection gem securely because the gem doesn't allow GET request for
/auth/:provider
by default.I've confirmed that the sign-in button works with this patch.