Permalink
Browse files

Add `:without_session` option to skip session based protection

This includes:

* Rack::Protection::SessionHijacking
* Rack::Protection::RemoteToken

Closes #47
  • Loading branch information...
zzak committed Jul 26, 2016
1 parent 3286be8 commit 46b1d85aee1461dff5d9893e61553020729bbf92
@@ -23,6 +23,11 @@ def self.new(app, options = {})
# does not include: RemoteReferrer, AuthenticityToken and FormToken
except = Array options[:except]
use_these = Array options[:use]
if options.fetch(:without_session, false)
except += [:session_hijacking, :remote_token]
end
Rack::Builder.new do
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
@@ -100,4 +100,28 @@
it { expect(instrumenter).not_to receive(:instrument) }
end
end
describe "new" do
it 'should allow disable session protection' do
mock_app do
use Rack::Protection, :without_session => true
run DummyApp
end
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
expect(session[:foo]).to eq :bar
end
it 'should allow disable CSRF protection' do
mock_app do
use Rack::Protection, :without_session => true
run DummyApp
end
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
expect(last_response).to be_ok
end
end
end

0 comments on commit 46b1d85

Please sign in to comment.