From fc4b8d2af0f8225e9252262f70f67029cde017d0 Mon Sep 17 00:00:00 2001
From: Steven Hancock <stevenh512@gmail.com>
Date: Thu, 29 Mar 2012 18:46:32 -0700
Subject: [PATCH] Skip CSRF token for OmniAuth callbacks (prevents session
 reset)

OmniAuth callbacks need to accept a raw POST from the auth provider without
verifying the CSRF token, otherwise the session will be reset.

See intridea/omniauth#203
See also http://www.communityguides.eu/articles/16

(This technique will also be needed for API endpoints when the time comes)
---
 app/controllers/services_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/services_controller.rb b/app/controllers/services_controller.rb
index 5f44071bf..7f3fd6ca1 100644
--- a/app/controllers/services_controller.rb
+++ b/app/controllers/services_controller.rb
@@ -3,6 +3,11 @@
 #   the COPYRIGHT file.
 
 class ServicesController < ApplicationController
+  # We need to take a raw POST from an omniauth provider with no authenticity token.
+  # See https://github.com/intridea/omniauth/issues/203
+  # See also http://www.communityguides.eu/articles/16
+  skip_before_filter :verify_authenticity_token, :only => :create
+
   before_filter :authenticate_user!
 
   respond_to :html