6

I am not using devise or some other like-gem. I am very new to RoR.

Here is my routes.rb

# For details on the DSL available within this file, see https://guides.rubyonrails.org/routing.html

Rails.application.routes.draw do
  get "about", to: "about#index"

  get "password", to: "passwords#edit", as: :edit_password
  patch "password", to: "passwords#update"

  get "password/reset", to: "password_resets#new"
  post "password/reset", to: "password_resets#create"
  get "password/reset/edit", to: "password_resets#edit"
  patch "password/reset/edit", to: "password_resets#update"
  
  get '/auth/:provider/callback', to: 'sessions#create'

  get "sign_up", to: "registrations#new"
  post "sign_up", to: "registrations#create"

  get "sign_in", to: "sessions#new"
  post "sign_in", to: "sessions#create"

  delete "logout", to: "sessions#destroy"

  root to: "main#index"
end

Here is user.rb

# email:string
# password_digest:string
#
# password:string virtual
# password_confirmation:string virtual

class User < ApplicationRecord
  has_secure_password

  validates :email, presence: true, format: { with: /\A[^@\s]+@[^@\s]+\z/, message: "must be a valid email address" }
  
end

here is my omniauth.rb

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :twitter,Rails.application.credentials.dig(:twitter,:api_key), Rails.application.credentials.dig(:twitter,:api_key)
end

I have made all the settings in my Twitter app. Please help.

Denish Goklani
  • 77
  • 4
  • I have the same issue, adding `OmniAuth.config.allowed_request_methods = [:post, :get]` to allow a get request to that route solves it but it throws another error. Additionally, using the line I just mentioned could be adding a security flaw. Will keep an eye for answers here. – csalmeida Feb 04 '21 at 14:40
  • Noticed that in your `omniauth.rb` you are digging `:api_key` twice and I assume the latter should be `:api_secret`. Have you tried to changed those details? – csalmeida Feb 04 '21 at 14:41
  • The [Upgrading to 2.0](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0) OmniAuth guide may also be of use. I know the question asked about Rails, but the Sinatra section fixed my problem. – Dave Powers Sep 10 '21 at 18:03

3 Answers3

18

I'm the author of the Ruby on Rails for Beginners course. I've updated the videos to reflect the changes.

Omniauth 2.0 was released which requires you to use POST requests now for security.

Now we'll add two gems:

bundle add omniauth-twitter omniauth-rails_csrf_protection

And make sure you've got api_secret as the second argument in your omniauth.rb initializer:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter,Rails.application.credentials.dig(:twitter,:api_key), Rails.application.credentials.dig(:twitter,:api_secret)
end

Then you can redirect to twitter by adding method: :post to your link_to or button_to

link_to "Connect Twitter", "/auth/twitter", method: :post, class: "btn btn-primary"
button_to "Connect Twitter", "/auth/twitter", method: :post, class: "btn btn-primary"

This works with both Project and Standalone Twitter apps so you can use either one.

excid3
  • 1,658
  • 15
  • 31
1

At this point in time, the Twitter API started rolling in their v2 version of their API. The tutorial makes use of v1.1 so please make sure to use that one instead in the meantime. To do so, create a Standalone App instead:

Twitter Developer Portal Showing a Standalone App created opposed to one made in a project.

After adding the API keys to the Rails credentials and adding the http://localhost:3000/auth/twitter/callback to the Callbacks URL config in the Twitter developer portal, add the following extra lines to omniauth.rb, these will re-enable get requests to localhost:3000/auth/twitter and remove the security warning from the console:

# Required to allow get requests, which enables a security flaw but that's how the tutorial is set up.
OmniAuth.config.allowed_request_methods = [:post, :get]
OmniAuth.config.silence_get_warning = true

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :twitter, Rails.application.credentials.dig(:twitter, :api_key), Rails.application.credentials.dig(:twitter, :api_secret)
end

Restart your Rails server and navigate to localhost:3000/auth/twitter, this should redirect you to a url that looks similar to the following:

https://api.twitter.com/oauth/authenticate?oauth_token=xov0NQAAAAABMcOqAAABd3F1_T0

This URL will render an authorize screen if the Twitter account being used has not yet enabled the app:

Twitter API App authorization screen

Provided that your OmniauthCallbacksController looks like this:

class OmniauthCallbacksController < ApplicationController
  def twitter
    render plain: "success"
  end
end

Your app should redirect to /auth/twitter/callback. The url will look something like http://localhost:3000/auth/twitter/callback?oauth_token=D4V2tAAAAAABMcOqAAABd3GFmgM&oauth_verifier=TSxCgaVsoQzY039l5DKQBJQiLKkaWBCA and it should print success on the page.

Hope this helps!

csalmeida
  • 528
  • 7
  • 26
0

Seems that there was a change to the OmniAuth gem where it, by default, only allows POST requests. Add this to your omniauth.rb file to allow GET requests:

OmniAuth.config.allowed_request_methods = [:post, :get]

There are security reasons why this change was made. Not ones I can explain unfortunately. But this will allow you to finish the GoRails tutorial!

Dana
  • 1
  • 1
  • Thanks Dana, but that will still throw an `OAuth::Unauthorized` error, at least for me? If this is working for everyone else you can add `OmniAuth.config.silence_get_warning = true` to silence the security warning in your console. – csalmeida Feb 05 '21 at 08:13