Make CSRF failure logging optional/configurable.

[joho]

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.

My reasoning being that I'm using papertrailapp on an app that is maybe 80% API and I'm explicitly using null_session to ignore CSRF problems on my API endpoints safely, but am getting a lot of log noise which isn't very helpful. I thought about overriding verify_authenticity_token in my app code, but the comments suggest that is a bad idea and I agree, but as the logging happens in there rather than in any of the protection method classes, I can't override the behaviour the preferred way.

The other implementation options I've thought of:

• push all the logging down into the classes in ProtectionMethods and then I re-implement NullSession in my own app code as QuietNullSession
• add a QuietNullSession to ProtectionMethods

I prefer it to be a config option because that way I don't have to worry about keeping my CSRF stuff in sync with rails over time, because honestly I'm unlikely to, and then security will happen to me.

[dnch]

👍

[joho]

@NZKoz as the committer that had a bunch to do with #7616 have you any thoughts?

[NZKoz]

a config option to silence the log message sounds simplest and I have no objection to it being included.

[joho]

So... last time I put in a patch everything was still lighthouse and patchfiles.

What now?