使用 devise、omniauth 和 devise-token-auth 时没有路由匹配“omniauth/:provider”

【问题标题】:No route matches "omniauth/:provider" when using devise, omniauth and devise-token-auth使用 devise、omniauth 和 devise-token-auth 时没有路由匹配“omniauth/:provider”
【发布时间】:2021-03-09 00:21:06
【问题描述】:

我正在尝试允许我的用户使用 deviseomniauthdevise-token-auth 使用他们的 Google 帐户登录。为此,我将以下代码添加到仅 Rails API 样板文件中。

# Gemfile

...

# authentication
gem 'devise', '~> 4.7'
gem 'devise_token_auth', git: 'https://github.com/lynndylanhurley/devise_token_auth'
gem 'omniauth', '~> 1.9.1'
gem 'omniauth-google-oauth2

...

# config/initializers/omniauth.rb

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end

# config/routes.rb

Rails.application.routes.draw do
  root 'application#home'

  mount_devise_token_auth_for 'User', at: 'auth'
end

对于前端,我使用j-toker 并设置如下

Auth.configure({
  apiUrl: `http://localhost:8000/`,
  authProviderPaths: {
    google: `/auth/google_oauth2`,
  },
});

当用户点击使用谷歌按钮登录时,我会调用

Auth.oAuthSignIn({ provider: `google` }).then(() => {
    // handle result
});

问题:当用户单击登录按钮时,会打开一个新选项卡,其中包含 rails 错误消息 No route matches [GET] "/omniauth/google_oauth2"

似乎/auth/google_oauth2 重定向到/omniauth/google_oauth2/omniauth/:provider 路径不存在

rails routes的输出如下:

                                  Prefix Verb     URI Pattern                                                                                       Controller#Action
                                    root GET      /                                                                                                 application#home
                        new_user_session GET      /auth/sign_in(.:format)                                                                           devise_token_auth/sessions#new
                            user_session POST     /auth/sign_in(.:format)                                                                           devise_token_auth/sessions#create
                    destroy_user_session DELETE   /auth/sign_out(.:format)                                                                          devise_token_auth/sessions#destroy
                       new_user_password GET      /auth/password/new(.:format)                                                                      devise_token_auth/passwords#new
                      edit_user_password GET      /auth/password/edit(.:format)                                                                     devise_token_auth/passwords#edit
                           user_password PATCH    /auth/password(.:format)                                                                          devise_token_auth/passwords#update
                                         PUT      /auth/password(.:format)                                                                          devise_token_auth/passwords#update
                                         POST     /auth/password(.:format)                                                                          devise_token_auth/passwords#create
                cancel_user_registration GET      /auth/cancel(.:format)                                                                            devise_token_auth/registrations#cancel
                   new_user_registration GET      /auth/sign_up(.:format)                                                                           devise_token_auth/registrations#new
                  edit_user_registration GET      /auth/edit(.:format)                                                                              devise_token_auth/registrations#edit
                       user_registration PATCH    /auth(.:format)                                                                                   devise_token_auth/registrations#update
                                         PUT      /auth(.:format)                                                                                   devise_token_auth/registrations#update
                                         DELETE   /auth(.:format)                                                                                   devise_token_auth/registrations#destroy
                                         POST     /auth(.:format)                                                                                   devise_token_auth/registrations#create
                     auth_validate_token GET      /auth/validate_token(.:format)                                                                    devise_token_auth/token_validations#validate_token
                            auth_failure GET      /auth/failure(.:format)                                                                           users/omniauth_callbacks#omniauth_failure
                                         GET      /auth/:provider/callback(.:format)                                                                users/omniauth_callbacks#omniauth_success
                                         GET|POST /omniauth/:provider/callback(.:format)                                                            users/omniauth_callbacks#redirect_callbacks
                        omniauth_failure GET|POST /omniauth/failure(.:format)                                                                       users/omniauth_callbacks#omniauth_failure
                                         GET      /auth/:provider(.:format)                                                                         redirect(301)

如您所见,/omniauth/:provider 路由甚至不存在...知道问题是什么吗?

【问题讨论】:

  • 这个问题好运吗?
  • 这个问题卷的任何运气。 2 :)

标签: ruby-on-rails devise omniauth devise-token-auth


【解决方案1】:

OmniAuth.config.allowed_request_methods = [:get] 放在omniauth 初始化程序中为我解决了这个问题。

像这样:

Rails.application.config.middleware.use OmniAuth::Builder do
  OmniAuth.config.allowed_request_methods = [:get]
  provider :google_oauth2, ENV['GOOGLE_KEY'], ENV['GOOGLE_SECRET']
end

但是,必须注意,允许 GET 请求会给出以下警告:

You are using GET as an allowed request method for OmniAuth. This may leave
  you open to CSRF attacks. As of v2.0.0, OmniAuth by default allows only POST
  to its own routes. You should review the following resources to guide your
  mitigation:
  https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
  https://github.com/omniauth/omniauth/issues/960
  https://nvd.nist.gov/vuln/detail/CVE-2015-9284
  https://github.com/omniauth/omniauth/pull/809

  You can ignore this warning by setting:
  OmniAuth.config.silence_get_warning = true

所以最好只允许 POST 请求

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2014-09-25
    • 2018-03-17
    • 2012-02-27
    • 2012-11-06
    • 1970-01-01
    • 1970-01-01
    • 2012-02-15
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode