Closed daveharris closed 1 year ago
I'm sorry, I don't think I have any ideas for you currently.
Instead of method: :post
, I believe you need data: { method: :post }
, or you need to use button_to
instead of link_to
Not an issue with omniauth-stripe-connect
and I've been able to change where the <form>
tag is so I can use a <button>
instead
Hi,
I'm not sure if this is a problem caused by omniauth-stripe-connect, but I'm not sure where else to put it.
To fix CVE-2015-9284 I have upgraded my OmniAuth version to v1.9.0 and installed omniauth-rails_csrf_protection. I then update my view to add
method: :post
:to
When clicking this link, I redirects to the URL
https://connect.stripe.com/oauth/authorize?_method=post&authenticity_token=...&client_id=ca_...&response_type=code&scope=read_write&state=...
Notice that the URL contains
_method=post
. Stripe rejects the authentication request with an "The user denied your request" error. If I remove the_method=post
from the URL it works fine.Rails log:
The
_method=post
is being passed from the controller through the Stripe as thelink_to
helper produces this HTML<a class="ui secondary button" rel="nofollow" data-method="post" href="/users/auth/stripe_connect">Connect with Stripe</a>
.I can't use the
button_to
approach as the link is inside another form, but this does work if I put it outside the form.Any ideas? I have searched for whitelisting or blacklisting parameters in omniauth and omniauth-stripe-connect but haven't come up with anything