Rails integration for AngularJS style CSRF protection
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
lib Version 3.2.0 May 15, 2018
test Allow custom cookie name to be set (#34) May 15, 2018
.gitignore Exclude for certain actions and revert for after_filter. Closes #17 (#25 Sep 29, 2016
.travis.yml try with install Apr 10, 2018
CHANGELOG.md Version 3.2.0 May 15, 2018
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md Jan 16, 2018
Gemfile update rubies Jan 16, 2018
LICENSE some docs Jan 16, 2018
README.md Version 3.2.0 May 15, 2018
Rakefile Version 1.0.0 Dec 13, 2013
angular_rails_csrf.gemspec support for rails 5.2.0 Apr 10, 2018

README.md

AngularJS-style CSRF Protection for Rails

Gem Version Build Status

The AngularJS ng.$http service has built-in CSRF protection. By default, it looks for a cookie named XSRF-TOKEN and, if found, writes its value into an X-XSRF-TOKEN header, which the server compares with the CSRF token saved in the user's session.

This project adds direct support for this scheme to your Rails application without requiring any changes to your AngularJS application. It also doesn't require the use of csrf_meta_tags to write a CSRF token into your page markup, so it works for pure JSON API applications.

Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.

Version 3 supports only Rails 4+ and Ruby 2.3+. If you are still on Rails 3 (2, 1?!), you have to utilize version 2.1.1!

Installation

Add this line to your application's Gemfile:

gem 'angular_rails_csrf'

And then execute:

$ bundle

That's it!

Configuration

Cookie Name

The default cookie's name is XSRF-TOKEN but it can be configured with the angular_rails_csrf_cookie_name setting:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_cookie_name = 'CUSTOM_NAME'
end

Cookie Domain

Starting from version 3, you may set domain for the XSRF cookie:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_domain = :all
end

If angular_rails_csrf_domain is not set, it defaults to nil.

Exclusions

Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed here):

class ExclusionsController < ApplicationController
  exclude_xsrf_token_cookie
  
  # your actions here...
end

Testing

Run

$ bundle install

and then

$ rake test

License

Licensed under the MIT License.