I'm trying to wrap my head around why a problem I was struggling with is now magically resolved.
I am building a Rails app that uses Spotify OAuth (via the rspotify gem) and became stuck on the exact issue described here. After spinning my wheels, I finally came across this comment, recommending that I explicitly add the omniauth gem to my Gemfile.
Now, this omniauth gem was already a dependency in Gemfile.lock for omniauth-oauth2 specifically. As the linked comment recommends, I included omniauth in my Gemfile and now my problem is seemingly resolved, but I don't really know why.
Gemfile resolve a railtie issue in this case?Gemfile.lock) isn't that evidence that a given gem was installed? If, say, gem_foo is listed as a dependency in Gemfile.lock and I add gem_foo in Gemfile and then run Bundler, how does Rails interpret this change?This is related to how gems are loaded by bundler. Bundler.require requires gems listed in Gemfile but does not require its dependecy. Its upto the library to require/load its dependency.
The mentioned issue happens when omniauth is not added explicitly to Gemfile, hence bundler does not require it.
But since omniauth-rails_csrf_protection assumes the ominauth is already required, it errors out when user only adds omniauth-rails_csrf_protection but does not add omniauth to Gemfile.
I have created a possible fix for the issue https://github.com/cookpad/omniauth-rails_csrf_protection/pull/13
UPDATE: The is fix has been merged in the gem repo.