From: Tom Hughes <tom@compton.nu>
Date: Mon, 27 Dec 2021 10:25:44 +0000 (+0000)
Subject: Allow PATCH for OmniAuth requests
X-Git-Tag: live~1435
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/b0288b83bb437bbfc0deb325cca142066dc9848b

Allow PATCH for OmniAuth requests

This is required to allow the account settings screen, which now
uses the PATCH verb, to redirect to OmniAuth when the external
authentication provider is changed.

As PATCH still uses CSRF this doesn't impact CVE-2015-9284 which
is the reason for requiring POST and most importantly got not
allowing GET requests to OmniAuth.
---

diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 7889fca81..dd69aba83 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -8,6 +8,7 @@ OpenID::Util.logger = Rails.logger
 
 OmniAuth.config.logger = Rails.logger
 OmniAuth.config.failure_raise_out_environments = []
+OmniAuth.config.allowed_request_methods = [:post, :patch]
 
 if Settings.key?(:memcache_servers)
   require "openid/store/memcache"
diff --git a/config/routes.rb b/config/routes.rb
index 2983fea55..ade101821 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -178,7 +178,7 @@ OpenStreetMap::Application.routes.draw do
   # omniauth
   get "/auth/failure" => "users#auth_failure"
   match "/auth/:provider/callback" => "users#auth_success", :via => [:get, :post], :as => :auth_success
-  post "/auth/:provider" => "users#auth", :as => :auth
+  match "/auth/:provider" => "users#auth", :via => [:post, :patch], :as => :auth
 
   # permalink
   get "/go/:code" => "site#permalink", :code => /[a-zA-Z0-9_@~]+[=-]*/, :as => :permalink