Use verify_authenticity_token directly

nevans · nevans · commit dcdf69862795 · 2024-11-09T12:32:35.000-05:00
By adding a logger and setting the protection_strategy to raise an
exception, we can use verify_authenticity_token directly.  The main
benefit of this is that we will get a more helpful error message
attached to the exception.
diff --git a/lib/omniauth/rails_csrf_protection/token_verifier.rb b/lib/omniauth/rails_csrf_protection/token_verifier.rb
@@ -28,22 +28,29 @@ def self.config
       # our configuration delegate to `ActionController::Base`.
       config.each_key do |key| config.delete(key) end
 
+      # OmniAuth expects us to raise an exception on auth failure.
+      self.forgery_protection_strategy = protection_method_class(:exception)
+
+      # Logging from ActionController::RequestForgeryProtection is redundant.
+      # OmniAuth logs basically the same message (from the exception).
+      self.log_warning_on_csrf_failure = false
+
       def call(env)
         dup._call(env)
       end
 
       def _call(env)
         @request = ActionDispatch::Request.new(env.dup)
 
-        unless verified_request?
-          raise ActionController::InvalidAuthenticityToken
-        end
+        verify_authenticity_token
       end
 
       private
 
         attr_reader :request
         delegate :params, :session, to: :request
+
+        delegate :logger, to: OmniAuth
     end
   end
 end
