Broken in Ember-CLI 0.2.2?

[krzkrzkrz]

I've upgraded to Ember-CLI 0.2.2.

I am following the readme at https://github.com/abuiles/rails-csrf. i.e.

Add a meta tag like the following to your app body and the addon will do the rest:
<meta content="adfadfadsfi34/sdfadfadf=" name="csrf-token">

I refresh the page, the meta tag's content value does not change to anything. As if the plugin isn't working. I also don't see the any api attempts to the csrf api endpoint. The network tab of Ember Inspector doesn't show anything relative.

Is the readme missing a step?

[skanderm]

Same problem here. This is also with 0.2.2.

[skanderm]

Same problem here. This is also with 0.2.2.

[skanderm]

@krzkrzkrz The addon seems to assume that the meta tag is actually provided in your Rails template via <%= csrf_meta_tags %> and no longer makes a call to a /csrf endpoint. You probably need to downgrade to a previous version to get that functionality again.

Also, https://www.npmjs.com/package/rails-csrf seems out of date.

[skanderm]

@krzkrzkrz The addon seems to assume that the meta tag is actually provided in your Rails template via <%= csrf_meta_tags %> and no longer makes a call to a /csrf endpoint. You probably need to downgrade to a previous version to get that functionality again.

Also, https://www.npmjs.com/package/rails-csrf seems out of date.

[e-fu]

btw, <%= csrf_meta_tags %> output is similar to:

[e-fu]

btw, <%= csrf_meta_tags %> output is similar to:

[krzkrzkrz]

@skanderm if the addon assumes that the meta tag is included in a Rails template. How is that even possible if one is using Ember CLI (Single Page Application), where the client handles all of the "templates/views" and Rails just acts as an API.

For single page applications, should we just query the API for the csrf token?

[krzkrzkrz]

@skanderm if the addon assumes that the meta tag is included in a Rails template. How is that even possible if one is using Ember CLI (Single Page Application), where the client handles all of the "templates/views" and Rails just acts as an API.

For single page applications, should we just query the API for the csrf token?

[skanderm]

@krzkrzkrz Yeah, I went back to doing that, I'm back to v1.0.1 now.

[skanderm]

@krzkrzkrz Yeah, I went back to doing that, I'm back to v1.0.1 now.

[samjulien]

I'm in the middle of this same problem. @krzkrzkrz, how are you querying the API for the csrf token? @skanderm, did you go back to v.1.0.1 of rails-csrf? Thanks!

[samjulien]

I'm in the middle of this same problem. @krzkrzkrz, how are you querying the API for the csrf token? @skanderm, did you go back to v.1.0.1 of rails-csrf? Thanks!

[skanderm]

Yep @samjulien, on v1.0.1. You can create a /csrf endpoint on your API that looks like

class CsrfController < ApplicationController
  def index
    render json: { request_forgery_protection_token => form_authenticity_token }.to_json
  end
end

Check out the previous versions of the readme.

[skanderm]

Yep @samjulien, on v1.0.1. You can create a /csrf endpoint on your API that looks like

class CsrfController < ApplicationController
  def index
    render json: { request_forgery_protection_token => form_authenticity_token }.to_json
  end
end

Check out the previous versions of the readme.

[samjulien]

@skanderm Is there something different I need to do in app.js to load the initializer or import rails-csrf? I'm getting Error while processing route: index Cannot read property 'fetchToken' of undefined TypeError: Cannot read property 'fetchToken' of undefined when I try to load the page.

All I've done in app.js is what the readme recommended (in addition to what was already there):

loadInitializers(App, config.modulePrefix, 'rails-csrf');

Thanks in advance!

[samjulien]

@skanderm Is there something different I need to do in app.js to load the initializer or import rails-csrf? I'm getting Error while processing route: index Cannot read property 'fetchToken' of undefined TypeError: Cannot read property 'fetchToken' of undefined when I try to load the page.

All I've done in app.js is what the readme recommended (in addition to what was already there):

loadInitializers(App, config.modulePrefix, 'rails-csrf');

Thanks in advance!

[skanderm]

@samjulien Maybe try it in its own call after the first?

loadInitializers(App, config.modulePrefix);
loadInitializers(App, 'rails-csrf');

[skanderm]

@samjulien Maybe try it in its own call after the first?

loadInitializers(App, config.modulePrefix);
loadInitializers(App, 'rails-csrf');

[samjulien]

@skanderm forgot to thank you for this - rails-csrf is working, just gotta wrestle with rack now. Cheers!

[samjulien]

@skanderm forgot to thank you for this - rails-csrf is working, just gotta wrestle with rack now. Cheers!

[krzkrzkrz]

@samjulien at this point, I dont think querying the API for a csrf token is the best approach. It leaves the application vulnerable

[krzkrzkrz]

@samjulien at this point, I dont think querying the API for a csrf token is the best approach. It leaves the application vulnerable

[abuiles]

As @krzkrzkrz mentioned, querying the API is not recommended because of possible vulnerabilities, the recommended way is to disable CSRF in dev and then enable in production and make sure you inject the CSRF token in the body when booting up the app

[abuiles]

As @krzkrzkrz mentioned, querying the API is not recommended because of possible vulnerabilities, the recommended way is to disable CSRF in dev and then enable in production and make sure you inject the CSRF token in the body when booting up the app