Ruby on Rails

My app currently has two ways a user can sign in using OAuth via Github:

- Click a button to read something protected. This triggers a
before_filter called authorize, which says:

authorize_github_and_return_to request.url unless signed_in?

This way works just fine (though using the same technique on a
Destroy link doesn't work, presumably due to the _method=delete stuff
not working in the wrong context).

- Click a link that goes to /sign_in. This triggers
SessionsController#new, which says:

authorize_github_and_return_to params.fetch(:return_to, root_url)

This way does NOT work, whether I use a return_to parameter or not.
It leaves me with a page that says "You are being redirected." with
"redirected" being a link to a Github auth page... the very same URL
as the way that works, except for the part after final_url (where to
return to). In the browser's address bar is
"http://localhost:3000/sign_in?return_to=http%3A%2F%2Flocalhost%3A3000%2F".
The logs say:

Started GET "/sign_in?return_to=http%3A%2F%2Flocalhost%3A3000%2F" for
127.0.0.1 at 2013-06-30 17:52:02 -0400
Processing by SessionsController#new as HTML
Parameters: {"return_to"=>"http://localhost:3000/"}
Redirected to https://github.com/login/oauth/authorize?response_type=code&client_id=de15557094c58f8b146d&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fgithub%2Fcallback%3Ffinal_url%3Dhttp%253A%252F%252Flocalhost%253A3000%252F
Completed 403 Forbidden in 2ms (ActiveRecord: 0.0ms)

Now here's the weird part... if I then go to the address bar and hit
return... IT WORKS! Then the logs say (note the EXACT SAME
redirection url above and below):

Started GET "/sign_in?return_to=http%3A%2F%2Flocalhost%3A3000%2F" for
127.0.0.1 at 2013-06-30 17:52:52 -0400
Processing by SessionsController#new as HTML
Parameters: {"return_to"=>"http://localhost:3000/"}
Redirected to https://github.com/login/oauth/authorize?response_type=code&client_id=de15557094c58f8b146d&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fgithub%2Fcallback%3Ffinal_url%3Dhttp%253A%252F%252Flocalhost%253A3000%252F
Completed 302 Found in 1ms (ActiveRecord: 0.0ms)


Started GET "/auth/github/callback?code=f622c143d1321386ea60&final_url=http%3A%2F%2Flocalhost%3A3000%2F"
for 127.0.0.1 at 2013-06-30 17:52:53 -0400
I, [2013-06-30T17:52:53.041032 #26853] INFO -- omniauth: (github)
Callback phase initiated.
Processing by SessionsController#create as HTML
Parameters: {"code"=>"f622c143d1321386ea60",
"final_url"=>"http://localhost:3000/", "provider"=>"github"}
Redirected to http://localhost:3000/
Completed 302 Found in 0ms (ActiveRecord: 0.0ms)


Started GET "/" for 127.0.0.1 at 2013-06-30 17:52:54 -0400
Processing by PullRequestsController#index as HTML
(0.2ms) SELECT COUNT(*) FROM "pull_requests"
PullRequest Load (0.2ms) SELECT "pull_requests".* FROM "pull_requests"
Rendered pull_requests/index.html.erb within layouts/application (2.4ms)
Rendered layouts/_log_in_out.html.erb (0.1ms)
Completed 200 OK in 12ms (Views: 11.0ms | ActiveRecord: 0.5ms)

The method authorize_github_and_return_to is in
application_controller.rb and says:

def authorize_github_and_return_to final_url
github = Github.new(client_id: ENV['GITHUB_KEY'],
client_secret: ENV['GITHUB_SECRET'])
redirect_uri = oauth_callback_url(:github, final_url: final_url)
auth_address = github.authorize_url(redirect_uri: redirect_uri)
redirect_to auth_address
end

If I put a binding.pry right before the redirect, I can see that the
URLs are identical (again, except for the final_url part).

I'm guessing that the key to this mystery is WHY the link to /sign_in
is returning 403. I've Googled "OAuth Github Devise sign_in (403 OR
forbidden)" (sans quotes) and didn't find anything useful. Any clues?

Thanks,
Dave

--
Dave Aronson, the T. Rex of Codosaurus LLC,
secret-cleared freelance software developer
taking contracts in or near NoVa or remote.
See information at http://www.Codosaur.us/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAHxKQii2DGS1_9ZGg0jkNaMiFiGAuFT7e8LPg-yFhwToOH6xFw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.