- match '/auth/:provider/callback', :to => 'user_sessions#create'
- match '/auth/failure', :to => 'user_sessions#failure'
+ match '/auth/:provider/callback', to: 'user_sessions#create', via: [:get, :post]
+ match '/auth/failure', to: 'user_sessions#failure', via: [:get, :post]
+ # not handled by omniauth provider -> 403 with no CORS headers.
+ get '/auth/*a', to: 'user_sessions#cross_origin_forbidden'