Added the option :authenticity_param to the AuthenticityToken

protection to allow for a different param name to be sent/expected by the application that uses it.
sinatra · Aug 6, 2013 · 73236da · 73236da
1 parent b233343
commit 73236da
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/lib/rack/protection/authenticity_token.rb b/lib/rack/protection/authenticity_token.rb
@@ -11,13 +11,20 @@ module Protection
     # included in the session.
     #
     # Compatible with Rails and rack-csrf.
+    #
+    # Options:
+    #
+    # authenticity_param: Defines the param's name that should contain the token on a request.
+    #
     class AuthenticityToken < Base
+      default_options :authenticity_param => 'authenticity_token'
+
       def accepts?(env)
         return true if safe? env
         session = session env
         token   = session[:csrf] ||= session['_csrf_token'] || random_string
         env['HTTP_X_CSRF_TOKEN'] == token or
-          Request.new(env).params['authenticity_token'] == token
+          Request.new(env).params[options[:authenticity_param]] == token
       end
     end
   end

diff --git a/spec/authenticity_token_spec.rb b/spec/authenticity_token_spec.rb
@@ -30,4 +30,14 @@
   it "prevents ajax requests without a valid token" do
     post('/', {}, "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest").should_not be_ok
   end
+
+  it "allows for a custom authenticity token param" do
+    mock_app do
+      use Rack::Protection::AuthenticityToken, :authenticity_param => 'csrf_param'
+      run proc { |e| [200, {'Content-Type' => 'text/plain'}, ['hi']] }
+    end
+
+    post('/', {"csrf_param" => "a"}, 'rack.session' => {:csrf => "a"})
+    last_response.should be_ok
+  end
 end