Skip to content

Commit

Permalink
Skip committing the session for API endpoints (#4222)
Browse files Browse the repository at this point in the history
This will help avoid setting the Set-Cookie header, which makes responses non-cacheable, and opens us up to someone causing a thundering herd by visiting an API endpoint in the browser and causing fastly to cache a hit-for-pass object, see https://developer.fastly.com/learning/concepts/edge-state/cache/request-collapsing/#hit-for-pass
  • Loading branch information
segiddins authored Nov 22, 2023
1 parent 523f47c commit 18df5ec
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions app/controllers/api/base_controller.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
class Api::BaseController < ApplicationController
skip_before_action :verify_authenticity_token
after_action :skip_session

private

Expand Down Expand Up @@ -117,4 +118,8 @@ def render_api_key_forbidden
def render_soft_deleted_api_key
render plain: "An invalid API key cannot be used. Please delete it and create a new one.", status: :forbidden
end

def skip_session
request.session_options[:skip] = true
end
end

0 comments on commit 18df5ec

Please sign in to comment.