Auto-require omniauth-rails_csrf_protection in the gem entry point

Without this, a host app that uses `gem "activeadmin-oidc"` never
triggers the `omniauth-rails_csrf_protection` railtie: Bundler.require
only auto-requires top-level Gemfile entries, not transitive gemspec
dependencies. The result is that OmniAuth 2.x's Rack-level CSRF check
runs against `button_to` posts and rejects them with
OmniAuth::AuthenticityError.

Requiring the railtie from the gem's own entry point registers
OmniAuth::RailsCsrfProtection::Railtie with Rails before the
initializer phase runs, so Rails' forgery protection transparently
takes over for OmniAuth POSTs. Also pulls rails/railtie first so the
require is safe outside of a fully-booted Rails environment (e.g.
plain spec_helper contexts).

Hit live during end-to-end testing with the Zitadel demo app.

Author: Fivell

lib/activeadmin-oidc.rb

@@ -2,6 +2,22 @@
 
 require "activeadmin/oidc/version"
 
+# `omniauth-rails_csrf_protection` registers a Railtie that replaces
+# OmniAuth 2.x's Rack-level authenticity check with Rails' own forgery
+# protection. It's a runtime dependency of this gem, but `Bundler.require`
+# in host apps only auto-requires top-level Gemfile entries — not
+# transitive deps pulled in via our gemspec. We `require` it here so
+# that the railtie gets loaded whenever a host does
+# `gem "activeadmin-oidc"`, and CSRF-protected OmniAuth POSTs work
+# out of the box with `button_to`-style login buttons.
+#
+# `omniauth/rails_csrf_protection/railtie` references `Rails::Railtie`
+# at file load, so pull in the minimal Railtie base class first — this
+# keeps the require safe even in spec_helper contexts where the full
+# Rails stack hasn't been initialized yet.
+require "rails/railtie"
+require "omniauth/rails_csrf_protection"
+
 module ActiveAdmin
   module Oidc
     class Error < StandardError; end

spec/unit/packaging_spec.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+# These are packaging-correctness tests: they verify that the gem's
+# main entry point wires in all the runtime glue a host app needs after
+# a plain `gem "activeadmin-oidc"` + `Bundler.require`.
+#
+# Why text-level? `Bundler.require` only auto-requires gems listed in
+# the Gemfile, not the transitive dependencies pulled in via our
+# gemspec. So a host that does `gem "activeadmin-oidc"` will NOT
+# auto-load `omniauth-rails_csrf_protection` — our gem has to require
+# it explicitly. The gem's own Gemfile uses `gemspec` which DOES load
+# all runtime deps, so a behavior test inside this suite would always
+# pass and silently miss regressions. Parsing the entry-point file
+# catches that.
+RSpec.describe "packaging" do
+  let(:entry_point_path) do
+    File.expand_path("../../lib/activeadmin-oidc.rb", __dir__)
+  end
+
+  let(:entry_point_source) { File.read(entry_point_path) }
+
+  it "requires omniauth/rails_csrf_protection so its railtie registers before the app boots" do
+    expect(entry_point_source).to match(/^require\s+["']omniauth\/rails_csrf_protection["']/)
+  end
+
+  it "loads OmniAuth::RailsCsrfProtection::TokenVerifier at require time" do
+    # Second guard: even if the grep above drifted, the constant must
+    # exist by the time the gem is loaded.
+    require "activeadmin-oidc"
+    expect(defined?(OmniAuth::RailsCsrfProtection::TokenVerifier))
+      .to eq("constant")
+  end
+end