Handle CSRF token verification in Rails >= 3.0.4. Fixes #4.

NUBIC · Jan 4, 2012 · 466f4c8 · 466f4c8
1 parent 83cbeb6
commit 466f4c8
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ Aker-Rails History
 3.0.2
 -----
 
+### Fixes
+
+- CSRF token verification in Rails >= 3.0.4 is now properly handled (#4).
+
 ### Development
 
 - Added missing LICENSE. Aker-Rails is made available under the MIT

diff --git a/aker-rails.gemspec b/aker-rails.gemspec
@@ -16,7 +16,7 @@ Gem::Specification.new do |s|
   s.email = "r-sutphin@northwestern.edu"
   s.homepage = "https://github.com/NUBIC/aker-rails"
 
-  s.add_runtime_dependency "rails", "~> 3.0"
+  s.add_runtime_dependency "rails", "~> 3.0", ">= 3.0.4"
 
   # This is deliberately open -- I expect that this rails plugin will
   # change much less frequently than the library.

diff --git a/features/csrf.feature b/features/csrf.feature
@@ -0,0 +1,12 @@
+Feature: Rails CSRF interaction
+  Background:
+    Given I am using the user interface
+    And I am logged in as mr296
+
+  Scenario: CSRF attacks are not processed
+    When I access a protected page without a CSRF token
+    Then I am on the login page
+
+  Scenario: Requests with a CSRF token are processed
+    When I access a protected page with a correct CSRF token
+    Then I can access that protected page
diff --git a/features/step_definitions/http_steps.rb b/features/step_definitions/http_steps.rb
@@ -45,6 +45,19 @@
   get url
 end
 
+When /^I access a protected page without a CSRF token$/ do
+  post '/protected'
+end
+
+When /^I access a protected page with a correct CSRF token$/ do
+  get '/protected'
+
+  page.body =~ /CSRF (\S+)/
+  header 'X-CSRF-Token', $1
+
+  post '/protected'
+end
+
 Then /^I can access that (\S+) page$/ do |page_name|
   page.code.should == '200'
 

diff --git a/features/support/mechanize_test.rb b/features/support/mechanize_test.rb
@@ -39,6 +39,15 @@ def get(url)
       @headers = nil
     end
 
+    def post(url)
+      begin
+        @page = agent.post(app_url(url), {}, headers)
+      rescue Mechanize::ResponseCodeError => e
+        @page = e.page
+      end
+      @headers = nil
+    end
+
     def submit(form, button=nil)
       button ||= form.buttons.first
       begin

diff --git a/lib/aker/rails/secured_controller.rb b/lib/aker/rails/secured_controller.rb
@@ -35,6 +35,14 @@ def aker_authorize
       request.env['aker.check'].authentication_required!
     end
 
+    def handle_unverified_request
+      super
+
+      if request.env['aker.interactive']
+        request.env['aker.check'].user = nil
+      end
+    end
+
     ##
     # Extensions for the rails controller DSL for
     # authentication-required controllers.

diff --git a/test-applications/serenity-30/app/views/protected/authentication_only.text.erb b/test-applications/serenity-30/app/views/protected/authentication_only.text.erb
@@ -1 +1,2 @@
+CSRF <%= form_authenticity_token %>
 I'm protected, <%= current_user.full_name %>.