Disable GET for Devise routes, Rails 5

Question

I have Rails 5 with Devise with Ajax login/registration and I want to remove GET requests for these two actions. The default sign_in/sign_up routes are changed. This is my routes.rb:

devise_for :users, :path => '', :path_names => { :sign_in => "login", 
                       :sign_out => "logout", :sign_up => "registration" }, 
                       :controllers => {:sessions => 'sessions', 
                                        :registrations => 'registrations'

Answer 1

Because I am using custom registration_controller and sessions_controller I just override the methods which show registration/login pages. Both methods are show. I add to both custom controllers this method:

def new
  raise ActionController::RoutingError.new('Not Found')
end

which returns 404, if someone navigates to registration or login URL, but POST request works fine.

Answer 2

In sessions_controller.rb and registrations_controller.rb you can check the request type and return 404 if it's a GET request:

If you haven't monkey-patched your devise controller already, create the directory app/controllers/devise and add the file registrations_controller.rb to it:

class Devise::RegistrationsController < DeviseController
  prepend_before_action: :check_get_request # you can limit it to certain actions with only: [:new, etc.]

  private
  def check_get_request
    if request.get?
      # respond with 404 or 422, or whatever
    else
      super
    end
  end
end

Same goes for sessions_controller. You might break something by disabling all GET requests, but you can target specific actions if need be: For reference: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/registrations_controller.rb and: https://github.com/plataformatec/devise/blob/master/app/controllers/devise/sessions_controller.rb