nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Skip CSRF token for OmniAuth callbacks (prevents session reset)

Browse source 
OmniAuth callbacks need to accept a raw POST from the auth provider without
verifying the CSRF token, otherwise the session will be reset.

See intridea/omniauth#203
See also http://www.communityguides.eu/articles/16

(This technique will also be needed for API endpoints when the time comes)
This commit is contained in:
Steven Hancock 2012-03-29 18:46:32 -07:00
parent b0a9e9ee59
commit fc4b8d2af0
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/controllers/services_controller.rb
View file

@ -3,6 +3,11 @@
# the COPYRIGHT file.
class ServicesController < ApplicationController
# We need to take a raw POST from an omniauth provider with no authenticity token.
# See https://github.com/intridea/omniauth/issues/203
# See also http://www.communityguides.eu/articles/16
skip_before_filter :verify_authenticity_token, :only => :create
before_filter :authenticate_user!
respond_to :html