search

zquestz / omniauth-google-oauth2

Oauth2 strategy for Google
1.47k stars 414 forks source link

Redirect Causing ActionDispatch::Cookies::CookieOverflow in Rails 6.0.3 #386

Closed cguess closed 4 years ago

cguess commented 4 years ago

I've been using this gem for quite awhile, and since upgrade to Rails 6.0.3, I'm getting occasional ActionDispatch::Cookies::CookieOverflow errors.

This seems to be because I'm using the default cookie store (which most people will be) and the Google redirect URL is blowing up the 4kb limit for the cookie. One solution is to change from the default to a Memcache or ActiveStorage cookie storage, but that seems to be a big ask just to enable Google OAuth, plus it introduces a bunch of other considerations that have to be taken into account.

This may be unrelated to the Rails upgrade and could be coincidence if Google added new params to their redirect URLs.

Thanks for the great product and let me know if there's more info needed.

ghost commented 4 years ago

Hey @cguess, I have the same error!

Please try: session['devise.google_data'] = request.env['omniauth.auth'].except("extra") instead of session['devise.google_data'] = request.env['omniauth.auth'].except(:extra)

It works for me :)

zquestz commented 4 years ago

Thanks for the report. Does the fix from @frooeyzanny work for you?

macfanatic commented 4 years ago

Hey @cguess, I have the same error!

Please try: session['devise.google_data'] = request.env['omniauth.auth'].except("extra") instead of session['devise.google_data'] = request.env['omniauth.auth'].except(:extra)

It works for me :)

This did resolve the issue for me; I was adding to a new rails 6.0.3 project and haven't used this library before and just followed the README.

zquestz commented 4 years ago

I updated the README to reflect this!

jcat4 commented 3 years ago

Apologies, I know this is closed, but I wanted to just ask for clarification. I'm having similar issues, but we're currently just using an Omniauth initializer and devise. There's no code on our end that explicitly sets any session info.

I know the docs cautioned to not do this, and to use devise configs and a new controller instead.

My question is: does devise do something that persists the contents of the auth hash to the session? Is that why these steps are necessary? Thanks in advance!