From fbb50455e4be64a7ea8c0c3081738ee0e9c12cfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
Date: Sat, 31 Aug 2024 21:09:07 +0200
Subject: [PATCH] Skip routing callback request if not in callback phase

There are other routes in OmniAuth strategies that will not assign
`omniauth.auth`, and we don't want `omniauth_provider` to error or
return `nil` in this case.
---
 lib/rodauth/features/omniauth.rb      |  2 +-
 lib/rodauth/features/omniauth_base.rb |  4 ----
 test/omniauth_test.rb                 | 17 +++++++++++++++++
 3 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/lib/rodauth/features/omniauth.rb b/lib/rodauth/features/omniauth.rb
index c11670e..57ce0e1 100644
--- a/lib/rodauth/features/omniauth.rb
+++ b/lib/rodauth/features/omniauth.rb
@@ -42,7 +42,7 @@ module Rodauth
 
     def route_omniauth!
       result = super
-      handle_omniauth_callback if omniauth_request?
+      handle_omniauth_callback if omniauth_strategy&.on_callback_path?
       result
     end
 
diff --git a/lib/rodauth/features/omniauth_base.rb b/lib/rodauth/features/omniauth_base.rb
index 2d2ff3b..acabda8 100644
--- a/lib/rodauth/features/omniauth_base.rb
+++ b/lib/rodauth/features/omniauth_base.rb
@@ -194,10 +194,6 @@ def handle_omniauth_response(res)
       end
     end
 
-    def omniauth_request?
-      request.env.key?("omniauth.strategy")
-    end
-
     def self.included(auth)
       auth.extend ClassMethods
       auth.instance_variable_set(:@omniauth_providers, [])
diff --git a/test/omniauth_test.rb b/test/omniauth_test.rb
index c125a13..0bbb14e 100644
--- a/test/omniauth_test.rb
+++ b/test/omniauth_test.rb
@@ -135,6 +135,23 @@
     assert_equal '{"name":"New Name","email":"janko@hey.com"}', DB[:account_identities].first[:info]
   end
 
+  it "gracefully handles GET on request phase when GET is not allowed" do
+    OmniAuth.config.allowed_request_methods = %i[post]
+
+    rodauth do
+      enable :omniauth
+      omniauth_provider :developer
+    end
+    roda do |r|
+      r.rodauth
+    end
+
+    visit "/auth/developer"
+    assert_equal 404, page.status_code
+
+    OmniAuth.config.allowed_request_methods = %i[get post]
+  end
+
   it "deletes omniauth identities when account is closed" do
     rodauth do
       enable :omniauth, :close_account