Skip to content

fix: avoid javascript for omniauth logins

Diego Louzán requested to merge siemens/gitlab:fix/omniauth-buttons-js into master

What does this MR do?

When a user clicks on an Omniauth login icon (e.g. Google), Rails will translate a link_to URL from a GET to a POST form submission via JavaScript. However, if JavaScript is disabled or not loaded before the page loads, this will cause a GET request to go to the login provider instead of POST, resulting in a 404.

To avoid this, we use button_to instead of link_to. button_to will set a form submission with a POST request without JavaScript.

Closes #28904 (closed)

🛠 with at Siemens

/cc @bufferoverflow @rpaik

Screenshots

Before (using link_to generating a elements)

image

After (using button_to generating form and button)

image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Diego Louzán

Merge request reports

Loading