Skip routing callback request if not in callback phase

There are other routes in OmniAuth strategies that will not assign `omniauth.auth`, and we don't want `omniauth_provider` to error or return `nil` in this case.
janko · Aug 31, 2024 · fbb5045 · fbb5045
1 parent dc51817
commit fbb5045
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/lib/rodauth/features/omniauth.rb b/lib/rodauth/features/omniauth.rb
@@ -42,7 +42,7 @@ module Rodauth
 
     def route_omniauth!
       result = super
-      handle_omniauth_callback if omniauth_request?
+      handle_omniauth_callback if omniauth_strategy&.on_callback_path?
       result
     end
 

diff --git a/lib/rodauth/features/omniauth_base.rb b/lib/rodauth/features/omniauth_base.rb
@@ -194,10 +194,6 @@ def handle_omniauth_response(res)
       end
     end
 
-    def omniauth_request?
-      request.env.key?("omniauth.strategy")
-    end
-
     def self.included(auth)
       auth.extend ClassMethods
       auth.instance_variable_set(:@omniauth_providers, [])

diff --git a/test/omniauth_test.rb b/test/omniauth_test.rb
@@ -135,6 +135,23 @@
     assert_equal '{"name":"New Name","email":"[email protected]"}', DB[:account_identities].first[:info]
   end
 
+  it "gracefully handles GET on request phase when GET is not allowed" do
+    OmniAuth.config.allowed_request_methods = %i[post]
+
+    rodauth do
+      enable :omniauth
+      omniauth_provider :developer
+    end
+    roda do |r|
+      r.rodauth
+    end
+
+    visit "/auth/developer"
+    assert_equal 404, page.status_code
+
+    OmniAuth.config.allowed_request_methods = %i[get post]
+  end
+
   it "deletes omniauth identities when account is closed" do
     rodauth do
       enable :omniauth, :close_account