Skip to content
This repository
Browse code

Disable storage on CSRF

  • Loading branch information...
commit 66716023e4ef7ce483128cff5b2c6c68520a5dbb 1 parent 4bc2ff9
José Valim josevalim authored
1  lib/devise/controllers/helpers.rb
@@ -255,6 +255,7 @@ def sign_out_and_redirect(resource_or_scope)
255 255 def handle_unverified_request
256 256 sign_out_all_scopes
257 257 warden.clear_strategies_cache!
  258 + request.env["devise.skip_storage"] = true
258 259 expire_devise_cached_variables!
259 260 super # call the default behaviour which resets the session
260 261 end
2  lib/devise/strategies/authenticatable.rb
@@ -9,7 +9,7 @@ class Authenticatable < Base
9 9 attr_accessor :authentication_hash, :authentication_type, :password
10 10
11 11 def store?
12   - !mapping.to.skip_session_storage.include?(authentication_type)
  12 + super && !mapping.to.skip_session_storage.include?(authentication_type)
13 13 end
14 14
15 15 def valid?
5 lib/devise/strategies/base.rb
@@ -2,6 +2,11 @@ module Devise
2 2 module Strategies
3 3 # Base strategy for Devise. Responsible for verifying correct scope and mapping.
4 4 class Base < ::Warden::Strategies::Base
  5 + # Whenever CSRF cannot be verified, we turn off any kind of storage
  6 + def store?
  7 + !env["devise.skip_storage"]
  8 + end
  9 +
5 10 # Checks if a valid scope was given for devise and find mapping based on this scope.
6 11 def mapping
7 12 @mapping ||= begin

0 comments on commit 6671602

Please sign in to comment.
Something went wrong with that request. Please try again.