Rails + OAuth Github - Deprecation notice for authentication via URL query parameters. How do I move params to header?

Question

This is my first time doing github oauth in Rails so I followed a YouTube tutorial which was out of date (2015). It was clear and my app works, however when I successfully signed up I got the following email:

Hi @NAME,

On July 30th, 2020 at 19:31 (UTC) your application used an access token (with the User-Agent Faraday v0.17.0) as part of a query parameter to access an endpoint through the GitHub API:

https://api.github.com/user

Please use the Authorization HTTP header instead as using the access_token query parameter is deprecated.

Depending on your API usage, we'll be sending you this email reminder on a monthly basis.

Visit https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param for more information about suggested workarounds and removal dates.

Thanks, The GitHub Team

And indeed my secret info is visible in my url: https://github.com/login?client_id=123456789&return_to=%2Flogin%2Foauth%2Fauthorize%3Fclient_id%123456789%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4000%252Fauth%252Fgithub%252Fcallback%26response_type%3Dcode%26state%123456789

I need to move these things to the header, but I don't know how to do that. My code is:

Application Config

module AppName
  class Application < Rails::Application
    # Initialize configuration defaults for originally generated Rails version.
    config.load_defaults 6.0

    # Settings in config/environments/* take precedence over those specified here.
    # Application configuration can go into files in config/initializers
    # -- all .rb files in that directory are automatically loaded after loading
    # the framework and any gems in your application.
    config.middleware.use OmniAuth::Builder do
      provider :developer if Rails.env.development?
      provider :github, ENV['CLIENTID'], ENV['CLIENTSECRET']
    end
  end
end

Session Controller

class SessionController < ApplicationController
  skip_before_action :verify_authenticity_token, only: [:create]

  def create
    user = User.find_or_create_by(
      provider: auth_hash[:provider],
      uid: auth_hash[:uid]
    ) do |user|
      user.name = auth_hash[:info][:name]
    end

    session[:user_id] = user.id

    redirect_to :about
  end

  def destroy
    reset_session

    redirect_to :root
  end

  private

  def auth_hash
    request.env['omniauth.auth']
  end
end

Routes:

get 'auth/github', as: 'github_auth'

Gemfile:

# Login
gem 'omniauth'
gem 'omniauth-github', github: 'omniauth/omniauth-github', branch: 'master'

More info from github: https://developer.github.com/changes/2020-02-10-deprecating-auth-through-query-param/

Answer 1

This email tells you that you are making requests like this https://api.github.com/user?access_token=<your_token_value> and this is deprecated. You should put access_token value inside Authorization header and value should be prefixed with token e.g. token <your_token_value>. This lib is using oauth2 gem and I think you should configure options.mode and probably options.header_format because it is set to Bearer %s by default.

provider :github, ENV['GITHUB_KEY'], ENV['GITHUB_SECRET'],
    {
      :auth_token_params => {
        :mode => :header,
        :header_format => 'token %s',
      }
    }