[Question] Native web requests to Rails without disabling CSRF

[joemasilotti]

Our app is making native, authenticated web requests via NSURLSession as explained in the Authentication wiki to a Rails backend. To get any of these JSON requests to work we need to disable CSRF protection via skip_before_action :verify_authenticity_token.

1. Is this "OK" or are we opening up ourselves to a potential attack?
2. If not, is there a better way to authorize these network requests coming from iOS?

Thanks for the help!

[zachwaugh]

Our apps all use OAuth tokens for any native API requests. Then, we disable CSRF protection in Rails only for requests that are authenticated with OAuth and keep CSRF enabled for all web requests.

[joemasilotti]

Thanks for the reply! I have two follow up questions:

1. Is OAuth done via a user flow? Or doe the client and server authenticate with each other for each session?
2. How does the initial request work? Isn't that done before the client has authenticated and presumably before any OAuthing has been done? My assumption is that CSRF would need to be disabled for that and no OAuth present.

[zachwaugh]

Our authentication is all done natively. We have a native, standard OAuth flow for signing in and get OAuth tokens back. The native app then authenticates the web view with the OAuth tokens, and we've taken two different approaches there, both work. 1) Load a request in the web view with the OAuth token to an endpoint that authenticates the user and sets the right cookies from the server, or 2) return the cookies along with the OAuth request, and the app manually sets those cookies to the web view's cookie store

[joemasilotti]

OK, I think I'm starting to understand more. Thanks again.

Is the "native, standard OAuth flow" done via a third party library or are you simply generating a token for use of the client?

Also, does the OAuth endpoint have CSRF disabled? I don't see how it couldn't.