Permalink
Browse files

Handle CSRF token verification in Rails >= 3.0.4. Fixes #4.

  • Loading branch information...
1 parent 83cbeb6 commit 466f4c888b435c1994e669a3621192a06910e458 David Yip committed Jan 4, 2012
View
@@ -4,6 +4,10 @@ Aker-Rails History
3.0.2
-----
+### Fixes
+
+- CSRF token verification in Rails >= 3.0.4 is now properly handled (#4).
+
### Development
- Added missing LICENSE. Aker-Rails is made available under the MIT
View
@@ -16,7 +16,7 @@ Gem::Specification.new do |s|
s.email = "r-sutphin@northwestern.edu"
s.homepage = "https://github.com/NUBIC/aker-rails"
- s.add_runtime_dependency "rails", "~> 3.0"
+ s.add_runtime_dependency "rails", "~> 3.0", ">= 3.0.4"
# This is deliberately open -- I expect that this rails plugin will
# change much less frequently than the library.
View
@@ -0,0 +1,12 @@
+Feature: Rails CSRF interaction
+ Background:
+ Given I am using the user interface
+ And I am logged in as mr296
+
+ Scenario: CSRF attacks are not processed
+ When I access a protected page without a CSRF token
+ Then I am on the login page
+
+ Scenario: Requests with a CSRF token are processed
+ When I access a protected page with a correct CSRF token
+ Then I can access that protected page
@@ -45,6 +45,19 @@
get url
end
+When /^I access a protected page without a CSRF token$/ do
+ post '/protected'
+end
+
+When /^I access a protected page with a correct CSRF token$/ do
+ get '/protected'
+
+ page.body =~ /CSRF (\S+)/
+ header 'X-CSRF-Token', $1
+
+ post '/protected'
+end
+
Then /^I can access that (\S+) page$/ do |page_name|
page.code.should == '200'
@@ -39,6 +39,15 @@ def get(url)
@headers = nil
end
+ def post(url)
+ begin
+ @page = agent.post(app_url(url), {}, headers)
+ rescue Mechanize::ResponseCodeError => e
+ @page = e.page
+ end
+ @headers = nil
+ end
+
def submit(form, button=nil)
button ||= form.buttons.first
begin
@@ -35,6 +35,14 @@ def aker_authorize
request.env['aker.check'].authentication_required!
end
+ def handle_unverified_request
+ super
+
+ if request.env['aker.interactive']
+ request.env['aker.check'].user = nil
+ end
+ end
+
##
# Extensions for the rails controller DSL for
# authentication-required controllers.
@@ -1 +1,2 @@
+CSRF <%= form_authenticity_token %>
I'm protected, <%= current_user.full_name %>.

0 comments on commit 466f4c8

Please sign in to comment.