Bypassing JsonCsrf protection after google oauth authentication

[tylernm14]

I'm using google oauth2 for authenticating users with my web service. Most of the pages on the web service are JSON. Users typically are navigating to a page that has content-type: application/json and then they are forwarded to google's authentication page. Once authenticated, in the oauth callback I redirect them back to their originally requested page which is JSON. Sinatra's JsonCsrf protection however is stepping in and blocking the redirect because the referer header, https://acounts.google.com/AccountChooser... does not match the host header mywebservice.com. Is there an idiomatic way to bypass this? I've tried to use the httpOrigin protection allow_if feature:

set :allow_if => lambda { |env|
        if env.has_key?('HTTP_REFERER') && env['HTTP_REFERER'] =~ /^https:\/\/accounts\.google\.com\/AccountChooser/
          puts "MATCHED HTTP_REFERER"
          true
        else
          puts "NOT MATCHED HTTP_REFERER"
          false
        end
      }

This however is not working for me. Does httpOrigin allow_if override the jsoncsrf detection? I'd rather not turn off jsoncsrf for the whole webservice

[jkowens]

It doesn't look like Rack::Protection::JsonCsrf uses the :allow_if override like Rack::Protection::HttpOrigin does. This seems like a possible oversight.

@zzak what do you think?

[zzak]

@jkowens Let's add it