RubyGems - angular_csrf - Versions diffs - 0.1.2 → 0.1.3 - Mend

angular_csrf 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +4 -4
data/lib/angular_csrf.rb +1 -1
data/lib/version.rb +1 -1
data/spec/angular_csrf_spec.rb +11 -19
data/spec/rails_app/Gemfile +1 -1
data/spec/rails_app/Gemfile.lock +63 -38
data/spec/rails_app/config/environments/production.rb +1 -1
data/spec/rails_app/config/environments/test.rb +1 -1
data/spec/rails_app/log/development.log +55 -0
data/spec/rails_app/log/test.log +1156 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a9b8b252bd73aed6ea7580f2d471a095223ec598
-  data.tar.gz: 36b7d8b1d0db47305ea40e0f3a72acf814e9563c
+  metadata.gz: d0d20b5f53013d30629c823691ed9c60419095a6
+  data.tar.gz: 936d25874e0f27d7850349e73402fc3939c52f03
 SHA512:
-  metadata.gz: be590420c3690edb5ca2cf850929bc9aa80f5e246767a28ce44901802eafb15078becbe8c63994c1656982f6ed934eee33afeac595fae9d4741d1e1573ba7cab
-  data.tar.gz: 3cb60b6217e35fed7f690ace981446f4502fdfe764bd852685cb4f2c86cf8d20727e6c3c69d86303630a64c2486bdef20e7c76c5c376ec4188c511c37ec4aac1
+  metadata.gz: 1d858874b318165898f9be2da58e192af0bf02375f6f9385ccc988800bede6681b52cfa840a13164e5ff0a483724cc137a2ec81d0e71a78437d42351125e711c
+  data.tar.gz: 5b481e2da6cabc859cb10c24c759b646b280de1caa1e0a8cc16cc41fa22e85f68a3c0f2973f902b16e47d9f0aa28878dc95982c3dfa75b67a49d5dcda9911a2f

data/README.md CHANGED Viewed

@@ -9,15 +9,15 @@ Extends Rails CSRF protection to play nicely with AngularJS.
 [![Dependency Status](https://gemnasium.com/Sinbadsoft/angular_csrf.svg)](https://gemnasium.com/Sinbadsoft/angular_csrf)
 [![Gem Version](https://badge.fury.io/rb/angular_csrf.svg)](http://badge.fury.io/rb/angular_csrf)
+Once installed, angular_csrf **just works**: No need to change or configure neither the AngularJS javascript code
+nor the Rails application.
 CSRF is an exploit that allows malicious websites to do unauthorized actions on a website that trusts the user.
 The angular_csrf gem extends the CSRF protection in Rails to match the naming convention used in AngularJS for the HTTP
 header and cookie token names
 (see [Cookie-to-Header Token](http://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) CSRF
 protection strategy for more details).
-Once installed, angular_csrf "just works": No need to change or configure neither the AngularJS javascript code nor the
-Rails application.
 angular_csrf has a very small footprint and has only the rails gem as dependency.
 ## Getting Started
@@ -46,7 +46,7 @@ AngularJS [deals with CSRF protection](https://docs.angularjs.org/api/ng/service
 * Reads the CSRF protection token form a cookie, by default `XSRF-TOKEN`
 * Sends back the CSRF token as a http header, by default: `X-XSRF-TOKEN`
-angular_csrf makes the Rails application or API set the expected cookie token and read validate the
+angular_csrf makes the Rails application or API set the expected cookie token and read and validate the
 http header sent by AngularJS. angular_csrf installs a Rails initializer
 [that extends the application controllers](https://github.com/Sinbadsoft/angular_csrf/blob/master/lib/angular_csrf.rb)
 to perform these tasks.

data/lib/angular_csrf.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module AngularCsrf
       define_method :verified_request_with_angular_header? do
         verified_request_without_angular_header? ||
-          form_authenticity_token == request.headers[ANGULAR_CSRF_HEADER_NAME]
+          valid_authenticity_token?(session, request.headers[ANGULAR_CSRF_HEADER_NAME])
       end
       alias_method_chain :verified_request?, :angular_header
     end

data/lib/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AngularCsrf
-  VERSION = '0.1.2'
+  VERSION = '0.1.3'
 end

data/spec/angular_csrf_spec.rb CHANGED Viewed

@@ -1,33 +1,25 @@
 require 'rails_helper'
 describe 'angular_csrf', type: :request do
-  it 'sets expected AngularJS csrf cookie' do
+  it 'validates csrf protection using AngularJS set header name and with AngularJS cookie value' do
     get '/'
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not be_nil
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
-  end
-  it 'checks AngularJS csrf http header for csrf protection' do
-    get '/'
-    post '/', { }, AngularCsrf::ANGULAR_CSRF_HEADER_NAME => session[:_csrf_token]
-    expect(response.status).to eq(201)
-  end
+    expect do
+      post '/'
+    end.to raise_error(ActionController::InvalidAuthenticityToken)
-  it 'not modify behavior for default csrf http header' do
-    get '/'
-    post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
+    post '/', { }, AngularCsrf::ANGULAR_CSRF_HEADER_NAME => response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]
     expect(response.status).to eq(201)
   end
-  it 'changes AngularJS csrf cookie value on csrf token change' do
+  it 'does not modify behavior for default csrf http header' do
     get '/'
-    old_csrf_token = session[:_csrf_token]
-    post '/create_and_reset_session', { },
-         AngularCsrf::ANGULAR_CSRF_HEADER_NAME => response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]
-    expect(response.status).to eq(201)
+    expect do
+      post '/'
+    end.to raise_error(ActionController::InvalidAuthenticityToken)
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not eq(old_csrf_token)
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
+    post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
+    expect(response.status).to eq(201)
   end
 end

data/spec/rails_app/Gemfile CHANGED Viewed

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
-gem 'rails', '4.1.7'
+gem 'rails', '4.2.0'
 gem 'angular_csrf', path: '../../'

data/spec/rails_app/Gemfile.lock CHANGED Viewed

@@ -1,74 +1,99 @@
 PATH
   remote: ../../
   specs:
-    angular_csrf (0.1.0)
+    angular_csrf (0.1.3)
       rails (>= 3.1)
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.1.7)
-      actionpack (= 4.1.7)
-      actionview (= 4.1.7)
+    actionmailer (4.2.0)
+      actionpack (= 4.2.0)
+      actionview (= 4.2.0)
+      activejob (= 4.2.0)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.1.7)
-      actionview (= 4.1.7)
-      activesupport (= 4.1.7)
-      rack (~> 1.5.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.0)
+      actionview (= 4.2.0)
+      activesupport (= 4.2.0)
+      rack (~> 1.6.0)
       rack-test (~> 0.6.2)
-    actionview (4.1.7)
-      activesupport (= 4.1.7)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    actionview (4.2.0)
+      activesupport (= 4.2.0)
       builder (~> 3.1)
       erubis (~> 2.7.0)
-    activemodel (4.1.7)
-      activesupport (= 4.1.7)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    activejob (4.2.0)
+      activesupport (= 4.2.0)
+      globalid (>= 0.3.0)
+    activemodel (4.2.0)
+      activesupport (= 4.2.0)
       builder (~> 3.1)
-    activerecord (4.1.7)
-      activemodel (= 4.1.7)
-      activesupport (= 4.1.7)
-      arel (~> 5.0.0)
-    activesupport (4.1.7)
-      i18n (~> 0.6, >= 0.6.9)
+    activerecord (4.2.0)
+      activemodel (= 4.2.0)
+      activesupport (= 4.2.0)
+      arel (~> 6.0)
+    activesupport (4.2.0)
+      i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
-      thread_safe (~> 0.1)
+      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    arel (5.0.1.20140414130214)
+    arel (6.0.0)
     builder (3.2.2)
     erubis (2.7.0)
+    globalid (0.3.0)
+      activesupport (>= 4.1.0)
     hike (1.2.3)
-    i18n (0.6.11)
+    i18n (0.7.0)
     json (1.8.1)
+    loofah (2.0.1)
+      nokogiri (>= 1.5.9)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     mime-types (2.4.3)
-    minitest (5.4.2)
+    mini_portile (0.6.1)
+    minitest (5.5.0)
     multi_json (1.10.1)
-    rack (1.5.2)
+    nokogiri (1.6.5)
+      mini_portile (~> 0.6.0)
+    rack (1.6.0)
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (4.1.7)
-      actionmailer (= 4.1.7)
-      actionpack (= 4.1.7)
-      actionview (= 4.1.7)
-      activemodel (= 4.1.7)
-      activerecord (= 4.1.7)
-      activesupport (= 4.1.7)
+    rails (4.2.0)
+      actionmailer (= 4.2.0)
+      actionpack (= 4.2.0)
+      actionview (= 4.2.0)
+      activejob (= 4.2.0)
+      activemodel (= 4.2.0)
+      activerecord (= 4.2.0)
+      activesupport (= 4.2.0)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.7)
-      sprockets-rails (~> 2.0)
-    railties (4.1.7)
-      actionpack (= 4.1.7)
-      activesupport (= 4.1.7)
+      railties (= 4.2.0)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.5)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.1)
+      loofah (~> 2.0)
+    railties (4.2.0)
+      actionpack (= 4.2.0)
+      activesupport (= 4.2.0)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (10.3.2)
+    rake (10.4.2)
     sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.0)
+    sprockets-rails (2.2.2)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
@@ -83,4 +108,4 @@ PLATFORMS
 DEPENDENCIES
   angular_csrf!
-  rails (= 4.1.7)
+  rails (= 4.2.0)

data/spec/rails_app/config/environments/production.rb CHANGED Viewed

@@ -20,7 +20,7 @@ Rails.application.configure do
   # config.action_dispatch.rack_cache = true
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_assets = false
+  config.serve_static_files = false
   # Specifies the header that your server uses for sending files.

data/spec/rails_app/config/environments/test.rb CHANGED Viewed

@@ -13,7 +13,7 @@ Rails.application.configure do
   config.eager_load = false
   # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_assets  = true
+  config.serve_static_files  = true
   config.static_cache_control = 'public, max-age=3600'
   # Show full error reports and disable caching.

data/spec/rails_app/log/development.log CHANGED Viewed

@@ -18,3 +18,58 @@ Completed 200 OK in 0ms
 Started GET "/" for 127.0.0.1 at 2014-11-08 22:52:50 +0100
 Processing by GuineaPigController#index as HTML
 Completed 200 OK in 23ms
+Started GET "/" for ::1 at 2014-12-29 16:05:04 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 7ms
+Started GET "/" for ::1 at 2014-12-29 16:05:16 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 0ms
+Started GET "/" for ::1 at 2014-12-29 16:05:43 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 1ms
+Started GET "/" for ::1 at 2014-12-29 16:07:32 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 0ms
+Started GET "/create" for ::1 at 2014-12-29 16:07:40 +0100
+ActionController::RoutingError (No route matches [GET] "/create"):
+  actionpack (4.2.0) lib/action_dispatch/middleware/debug_exceptions.rb:21:in `call'
+  actionpack (4.2.0) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
+  railties (4.2.0) lib/rails/rack/logger.rb:38:in `call_app'
+  railties (4.2.0) lib/rails/rack/logger.rb:20:in `block in call'
+  activesupport (4.2.0) lib/active_support/tagged_logging.rb:68:in `block in tagged'
+  activesupport (4.2.0) lib/active_support/tagged_logging.rb:26:in `tagged'
+  activesupport (4.2.0) lib/active_support/tagged_logging.rb:68:in `tagged'
+  railties (4.2.0) lib/rails/rack/logger.rb:20:in `call'
+  actionpack (4.2.0) lib/action_dispatch/middleware/request_id.rb:21:in `call'
+  rack (1.6.0) lib/rack/methodoverride.rb:22:in `call'
+  rack (1.6.0) lib/rack/runtime.rb:18:in `call'
+  activesupport (4.2.0) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
+  rack (1.6.0) lib/rack/lock.rb:17:in `call'
+  actionpack (4.2.0) lib/action_dispatch/middleware/static.rb:113:in `call'
+  rack (1.6.0) lib/rack/sendfile.rb:113:in `call'
+  railties (4.2.0) lib/rails/engine.rb:518:in `call'
+  railties (4.2.0) lib/rails/application.rb:164:in `call'
+  rack (1.6.0) lib/rack/lock.rb:17:in `call'
+  rack (1.6.0) lib/rack/content_length.rb:15:in `call'
+  rack (1.6.0) lib/rack/handler/webrick.rb:89:in `service'
+  /Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/httpserver.rb:138:in `service'
+  /Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/httpserver.rb:94:in `run'
+  /Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/server.rb:295:in `block in start_thread'
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb (0.9ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/routes/_route.html.erb (0.5ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/routes/_table.html.erb (3.8ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb (1.1ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb within rescues/layout (19.4ms)