在使用吗?
在使用吗?
提问于 2021-03-09 00:21:06
我试图允许我的用户使用devise、omniauth和devise-token-auth登录他们的Google帐户。为此,我在rails API中添加了以下代码--仅限样板。
# Gemfile
...
# authentication
gem 'devise', '~> 4.7'
gem 'devise_token_auth', git: 'https://github.com/lynndylanhurley/devise_token_auth'
gem 'omniauth', '~> 1.9.1'
gem 'omniauth-google-oauth2
...# config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end# config/routes.rb
Rails.application.routes.draw do
root 'application#home'
mount_devise_token_auth_for 'User', at: 'auth'
end对于前端,我使用j-toker并将其设置如下
Auth.configure({
apiUrl: `http://localhost:8000/`,
authProviderPaths: {
google: `/auth/google_oauth2`,
},
});当用户单击“使用google登录”按钮时,我将调用
Auth.oAuthSignIn({ provider: `google` }).then(() => {
// handle result
});问题:当用户单击登录按钮时,将打开一个新的选项卡,其中包含rails错误消息No route matches [GET] "/omniauth/google_oauth2"。
似乎/auth/google_oauth2重定向到/omniauth/google_oauth2,但/omniauth/:provider路径不存在
rails routes的输出如下:
Prefix Verb URI Pattern Controller#Action
root GET / application#home
new_user_session GET /auth/sign_in(.:format) devise_token_auth/sessions#new
user_session POST /auth/sign_in(.:format) devise_token_auth/sessions#create
destroy_user_session DELETE /auth/sign_out(.:format) devise_token_auth/sessions#destroy
new_user_password GET /auth/password/new(.:format) devise_token_auth/passwords#new
edit_user_password GET /auth/password/edit(.:format) devise_token_auth/passwords#edit
user_password PATCH /auth/password(.:format) devise_token_auth/passwords#update
PUT /auth/password(.:format) devise_token_auth/passwords#update
POST /auth/password(.:format) devise_token_auth/passwords#create
cancel_user_registration GET /auth/cancel(.:format) devise_token_auth/registrations#cancel
new_user_registration GET /auth/sign_up(.:format) devise_token_auth/registrations#new
edit_user_registration GET /auth/edit(.:format) devise_token_auth/registrations#edit
user_registration PATCH /auth(.:format) devise_token_auth/registrations#update
PUT /auth(.:format) devise_token_auth/registrations#update
DELETE /auth(.:format) devise_token_auth/registrations#destroy
POST /auth(.:format) devise_token_auth/registrations#create
auth_validate_token GET /auth/validate_token(.:format) devise_token_auth/token_validations#validate_token
auth_failure GET /auth/failure(.:format) users/omniauth_callbacks#omniauth_failure
GET /auth/:provider/callback(.:format) users/omniauth_callbacks#omniauth_success
GET|POST /omniauth/:provider/callback(.:format) users/omniauth_callbacks#redirect_callbacks
omniauth_failure GET|POST /omniauth/failure(.:format) users/omniauth_callbacks#omniauth_failure
GET /auth/:provider(.:format) redirect(301)正如你所看到的,/omniauth/:provider路由甚至不存在.知道问题是什么吗?
回答 1
Stack Overflow用户
发布于 2022-02-22 09:06:39
将OmniAuth.config.allowed_request_methods = [:get]放在杂多初始化器中,为我解决了这个问题。
如下所示:
Rails.application.config.middleware.use OmniAuth::Builder do
OmniAuth.config.allowed_request_methods = [:get]
provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end 但是,必须指出,允许GET请求会发出以下警告:
You are using GET as an allowed request method for OmniAuth. This may leave
you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
to its own routes. You should review the following resources to guide your
mitigation:
https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
https://github.com/omniauth/omniauth/issues/960
https://nvd.nist.gov/vuln/detail/CVE-2015-9284
https://github.com/omniauth/omniauth/pull/809
You can ignore this warning by setting:
OmniAuth.config.silence_get_warning = true所以最好只允许发布请求
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/66539096
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号