Reputation: 63
No route matches "omniauth/:provider" when using devise, omniauth and devise-token-auth
I'm trying to allow my users to login with their Google accounts using devise, omniauth and devise-token-auth. To do so I have added the following code to the rails API-only boilerplate.
# Gemfile
...
# authentication
gem 'devise', '~> 4.7'
gem 'devise_token_auth', git: 'https://github.com/lynndylanhurley/devise_token_auth'
gem 'omniauth', '~> 1.9.1'
gem 'omniauth-google-oauth2
...
# config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end
# config/routes.rb
Rails.application.routes.draw do
root 'application#home'
mount_devise_token_auth_for 'User', at: 'auth'
end
For the frontend I use j-toker and have set it up as follows
Auth.configure({
apiUrl: `http://localhost:8000/`,
authProviderPaths: {
google: `/auth/google_oauth2`,
},
});
When the user clicks on the login with google button I then call
Auth.oAuthSignIn({ provider: `google` }).then(() => {
// handle result
});
The Issue: When the user clicks on the login button, a new tab opens up with the rails error message No route matches [GET] "/omniauth/google_oauth2"
It seems like /auth/google_oauth2 redirects to /omniauth/google_oauth2 but the /omniauth/:provider path doesn't exist
The output of rails routes is as follows:
Prefix Verb URI Pattern Controller#Action
root GET / application#home
new_user_session GET /auth/sign_in(.:format) devise_token_auth/sessions#new
user_session POST /auth/sign_in(.:format) devise_token_auth/sessions#create
destroy_user_session DELETE /auth/sign_out(.:format) devise_token_auth/sessions#destroy
new_user_password GET /auth/password/new(.:format) devise_token_auth/passwords#new
edit_user_password GET /auth/password/edit(.:format) devise_token_auth/passwords#edit
user_password PATCH /auth/password(.:format) devise_token_auth/passwords#update
PUT /auth/password(.:format) devise_token_auth/passwords#update
POST /auth/password(.:format) devise_token_auth/passwords#create
cancel_user_registration GET /auth/cancel(.:format) devise_token_auth/registrations#cancel
new_user_registration GET /auth/sign_up(.:format) devise_token_auth/registrations#new
edit_user_registration GET /auth/edit(.:format) devise_token_auth/registrations#edit
user_registration PATCH /auth(.:format) devise_token_auth/registrations#update
PUT /auth(.:format) devise_token_auth/registrations#update
DELETE /auth(.:format) devise_token_auth/registrations#destroy
POST /auth(.:format) devise_token_auth/registrations#create
auth_validate_token GET /auth/validate_token(.:format) devise_token_auth/token_validations#validate_token
auth_failure GET /auth/failure(.:format) users/omniauth_callbacks#omniauth_failure
GET /auth/:provider/callback(.:format) users/omniauth_callbacks#omniauth_success
GET|POST /omniauth/:provider/callback(.:format) users/omniauth_callbacks#redirect_callbacks
omniauth_failure GET|POST /omniauth/failure(.:format) users/omniauth_callbacks#omniauth_failure
GET /auth/:provider(.:format) redirect(301)
As you can see the /omniauth/:provider route doesn't even exist... Any idea what the Issue is?
Upvotes: 2
Views: 737
Answers (1)
Reputation: 1022
Placing OmniAuth.config.allowed_request_methods = [:get] in the omniauth initializer fixed this issue for me.
Like this:
Rails.application.config.middleware.use OmniAuth::Builder do
OmniAuth.config.allowed_request_methods = [:get]
provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end
However, it must be noted that allowing GET requests gives the following warning:
You are using GET as an allowed request method for OmniAuth. This may leave
you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
to its own routes. You should review the following resources to guide your
mitigation:
https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
https://github.com/omniauth/omniauth/issues/960
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
https://github.com/omniauth/omniauth/pull/809
You can ignore this warning by setting:
OmniAuth.config.silence_get_warning = true
So its probably best to only allow POST requests
Upvotes: 0
Related Questions
- Configuring routes in devise when only using omniauth for authentication
- Omniauth && devise no route
- Issues with loading custom Omniauth provider in Devise
- Routes not found in rails
- Setting up devise+omniauth in rails, keep getting a routing error after 'login'
- Rails 4: devise and omniauthable error
- Devise + Omniauth - testing - getting no route matches "/oauth/authorize"
- devise + omniauth auth/failure?message=invalid_credentials
- Devise Routing Error on Gem Update (Rails 3, Devise + Omniauth)
- Problem with Routes using Devise and Omniauth