Allow CSRF to be disabled entirely #1655

matthewmcgarvey · 2022-01-27T03:20:56Z

matthewmcgarvey
Jan 27, 2022
Maintainer

Right now, flow specs work because they use Chrome (headlessly). In my work to add an in-memory version, we lose the ability to run javascript. That means we lose the ability for the javascript layer to add on csrf tokens to requests. This causes requests to fail.

In looking at how Capybara deals with this, I found that Rails disables CSRF protection in the test environment
https://github.com/rails/rails/blob/1438c0416fed98b20475b0cbe0c8e3965705cad0/railties/lib/rails/generators/rails/app/templates/config/environments/test.rb.tt#L34

I think we should do something similar. At least, we could add a setting to allow disabling it.

The setting would be used here:

lucky/src/lucky/protect_from_forgery.cr

Lines 19 to 26 in 48d8f7b

    
           private def protect_from_forgery 
        
             set_session_csrf_token 
        
             if request_does_not_require_protection? || valid_csrf_token? 
        
               continue 
        
             else 
        
               forbid_access_because_of_bad_token 
        
             end 
        
           end

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow CSRF to be disabled entirely #1655

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Allow CSRF to be disabled entirely #1655

matthewmcgarvey Jan 27, 2022 Maintainer

Replies: 0 comments

matthewmcgarvey
Jan 27, 2022
Maintainer