RubyGems - angular_csrf - Versions diffs - 0.1.2 → 0.1.3 - Mend

angular_csrf 0.1.2 → 0.1.3

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +4 -4
data/lib/angular_csrf.rb +1 -1
data/lib/version.rb +1 -1
data/spec/angular_csrf_spec.rb +11 -19
data/spec/rails_app/Gemfile +1 -1
data/spec/rails_app/Gemfile.lock +63 -38
data/spec/rails_app/config/environments/production.rb +1 -1
data/spec/rails_app/config/environments/test.rb +1 -1
data/spec/rails_app/log/development.log +55 -0
data/spec/rails_app/log/test.log +1156 -0
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a9b8b252bd73aed6ea7580f2d471a095223ec598
-  data.tar.gz: 36b7d8b1d0db47305ea40e0f3a72acf814e9563c
+  metadata.gz: d0d20b5f53013d30629c823691ed9c60419095a6
+  data.tar.gz: 936d25874e0f27d7850349e73402fc3939c52f03
 SHA512:
-  metadata.gz: be590420c3690edb5ca2cf850929bc9aa80f5e246767a28ce44901802eafb15078becbe8c63994c1656982f6ed934eee33afeac595fae9d4741d1e1573ba7cab
-  data.tar.gz: 3cb60b6217e35fed7f690ace981446f4502fdfe764bd852685cb4f2c86cf8d20727e6c3c69d86303630a64c2486bdef20e7c76c5c376ec4188c511c37ec4aac1
+  metadata.gz: 1d858874b318165898f9be2da58e192af0bf02375f6f9385ccc988800bede6681b52cfa840a13164e5ff0a483724cc137a2ec81d0e71a78437d42351125e711c
+  data.tar.gz: 5b481e2da6cabc859cb10c24c759b646b280de1caa1e0a8cc16cc41fa22e85f68a3c0f2973f902b16e47d9f0aa28878dc95982c3dfa75b67a49d5dcda9911a2f

data/README.md CHANGED Viewed

@@ -9,15 +9,15 @@ Extends Rails CSRF protection to play nicely with AngularJS.
 [![Dependency Status](https://gemnasium.com/Sinbadsoft/angular_csrf.svg)](https://gemnasium.com/Sinbadsoft/angular_csrf)
 [![Gem Version](https://badge.fury.io/rb/angular_csrf.svg)](http://badge.fury.io/rb/angular_csrf)
+Once installed, angular_csrf **just works**: No need to change or configure neither the AngularJS javascript code
+nor the Rails application.
 CSRF is an exploit that allows malicious websites to do unauthorized actions on a website that trusts the user.
 The angular_csrf gem extends the CSRF protection in Rails to match the naming convention used in AngularJS for the HTTP
 header and cookie token names
 (see [Cookie-to-Header Token](http://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token) CSRF
 protection strategy for more details).
-Once installed, angular_csrf "just works": No need to change or configure neither the AngularJS javascript code nor the
-Rails application.
 angular_csrf has a very small footprint and has only the rails gem as dependency.
 ## Getting Started
@@ -46,7 +46,7 @@ AngularJS [deals with CSRF protection](https://docs.angularjs.org/api/ng/service
 * Reads the CSRF protection token form a cookie, by default `XSRF-TOKEN`
 * Sends back the CSRF token as a http header, by default: `X-XSRF-TOKEN`
-angular_csrf makes the Rails application or API set the expected cookie token and read validate the
+angular_csrf makes the Rails application or API set the expected cookie token and read and validate the
 http header sent by AngularJS. angular_csrf installs a Rails initializer
 [that extends the application controllers](https://github.com/Sinbadsoft/angular_csrf/blob/master/lib/angular_csrf.rb)
 to perform these tasks.

data/lib/angular_csrf.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module AngularCsrf
       define_method :verified_request_with_angular_header? do
         verified_request_without_angular_header? ||
-          form_authenticity_token == request.headers[ANGULAR_CSRF_HEADER_NAME]
+          valid_authenticity_token?(session, request.headers[ANGULAR_CSRF_HEADER_NAME])
       end
       alias_method_chain :verified_request?, :angular_header
     end

data/lib/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AngularCsrf
-  VERSION = '0.1.2'
+  VERSION = '0.1.3'
 end

data/spec/angular_csrf_spec.rb CHANGED Viewed

@@ -1,33 +1,25 @@
 require 'rails_helper'
 describe 'angular_csrf', type: :request do
-  it 'sets expected AngularJS csrf cookie' do
+  it 'validates csrf protection using AngularJS set header name and with AngularJS cookie value' do
     get '/'
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not be_nil
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
-  end
-  it 'checks AngularJS csrf http header for csrf protection' do
-    get '/'
-    post '/', { }, AngularCsrf::ANGULAR_CSRF_HEADER_NAME => session[:_csrf_token]
-    expect(response.status).to eq(201)
-  end
+    expect do
+      post '/'
+    end.to raise_error(ActionController::InvalidAuthenticityToken)
-  it 'not modify behavior for default csrf http header' do
-    get '/'
-    post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
+    post '/', { }, AngularCsrf::ANGULAR_CSRF_HEADER_NAME => response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]
     expect(response.status).to eq(201)
   end
-  it 'changes AngularJS csrf cookie value on csrf token change' do
+  it 'does not modify behavior for default csrf http header' do
     get '/'
-    old_csrf_token = session[:_csrf_token]
-    post '/create_and_reset_session', { },
-         AngularCsrf::ANGULAR_CSRF_HEADER_NAME => response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]
-    expect(response.status).to eq(201)
+    expect do
+      post '/'
+    end.to raise_error(ActionController::InvalidAuthenticityToken)
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to_not eq(old_csrf_token)
-    expect(response.cookies[AngularCsrf::ANGULAR_CSRF_COOKIE_NAME]).to eq(session[:_csrf_token])
+    post '/', { }, 'X-CSRF-Token' => session[:_csrf_token]
+    expect(response.status).to eq(201)
   end
 end

data/spec/rails_app/Gemfile CHANGED Viewed

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
-gem 'rails', '4.1.7'
+gem 'rails', '4.2.0'
 gem 'angular_csrf', path: '../../'

data/spec/rails_app/Gemfile.lock CHANGED Viewed

@@ -1,74 +1,99 @@
 PATH
   remote: ../../
   specs:
-    angular_csrf (0.1.0)
+    angular_csrf (0.1.3)
       rails (>= 3.1)
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.1.7)
-      actionpack (= 4.1.7)
-      actionview (= 4.1.7)
+    actionmailer (4.2.0)
+      actionpack (= 4.2.0)
+      actionview (= 4.2.0)
+      activejob (= 4.2.0)
       mail (~> 2.5, >= 2.5.4)
-    actionpack (4.1.7)
-      actionview (= 4.1.7)
-      activesupport (= 4.1.7)
-      rack (~> 1.5.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.0)
+      actionview (= 4.2.0)
+      activesupport (= 4.2.0)
+      rack (~> 1.6.0)
       rack-test (~> 0.6.2)
-    actionview (4.1.7)
-      activesupport (= 4.1.7)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    actionview (4.2.0)
+      activesupport (= 4.2.0)
       builder (~> 3.1)
       erubis (~> 2.7.0)
-    activemodel (4.1.7)
-      activesupport (= 4.1.7)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.1)
+    activejob (4.2.0)
+      activesupport (= 4.2.0)
+      globalid (>= 0.3.0)
+    activemodel (4.2.0)
+      activesupport (= 4.2.0)
       builder (~> 3.1)
-    activerecord (4.1.7)
-      activemodel (= 4.1.7)
-      activesupport (= 4.1.7)
-      arel (~> 5.0.0)
-    activesupport (4.1.7)
-      i18n (~> 0.6, >= 0.6.9)
+    activerecord (4.2.0)
+      activemodel (= 4.2.0)
+      activesupport (= 4.2.0)
+      arel (~> 6.0)
+    activesupport (4.2.0)
+      i18n (~> 0.7)
       json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
-      thread_safe (~> 0.1)
+      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    arel (5.0.1.20140414130214)
+    arel (6.0.0)
     builder (3.2.2)
     erubis (2.7.0)
+    globalid (0.3.0)
+      activesupport (>= 4.1.0)
     hike (1.2.3)
-    i18n (0.6.11)
+    i18n (0.7.0)
     json (1.8.1)
+    loofah (2.0.1)
+      nokogiri (>= 1.5.9)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     mime-types (2.4.3)
-    minitest (5.4.2)
+    mini_portile (0.6.1)
+    minitest (5.5.0)
     multi_json (1.10.1)
-    rack (1.5.2)
+    nokogiri (1.6.5)
+      mini_portile (~> 0.6.0)
+    rack (1.6.0)
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (4.1.7)
-      actionmailer (= 4.1.7)
-      actionpack (= 4.1.7)
-      actionview (= 4.1.7)
-      activemodel (= 4.1.7)
-      activerecord (= 4.1.7)
-      activesupport (= 4.1.7)
+    rails (4.2.0)
+      actionmailer (= 4.2.0)
+      actionpack (= 4.2.0)
+      actionview (= 4.2.0)
+      activejob (= 4.2.0)
+      activemodel (= 4.2.0)
+      activerecord (= 4.2.0)
+      activesupport (= 4.2.0)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.1.7)
-      sprockets-rails (~> 2.0)
-    railties (4.1.7)
-      actionpack (= 4.1.7)
-      activesupport (= 4.1.7)
+      railties (= 4.2.0)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.5)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.1)
+      loofah (~> 2.0)
+    railties (4.2.0)
+      actionpack (= 4.2.0)
+      activesupport (= 4.2.0)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (10.3.2)
+    rake (10.4.2)
     sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.2.0)
+    sprockets-rails (2.2.2)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
@@ -83,4 +108,4 @@ PLATFORMS
 DEPENDENCIES
   angular_csrf!
-  rails (= 4.1.7)
+  rails (= 4.2.0)

data/spec/rails_app/config/environments/production.rb CHANGED Viewed

@@ -20,7 +20,7 @@ Rails.application.configure do
   # config.action_dispatch.rack_cache = true
   # Disable Rails's static asset server (Apache or nginx will already do this).
-  config.serve_static_assets = false
+  config.serve_static_files = false
   # Specifies the header that your server uses for sending files.

data/spec/rails_app/config/environments/test.rb CHANGED Viewed

@@ -13,7 +13,7 @@ Rails.application.configure do
   config.eager_load = false
   # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_assets  = true
+  config.serve_static_files  = true
   config.static_cache_control = 'public, max-age=3600'
   # Show full error reports and disable caching.

data/spec/rails_app/log/development.log CHANGED Viewed

@@ -18,3 +18,58 @@ Completed 200 OK in 0ms
 Started GET "/" for 127.0.0.1 at 2014-11-08 22:52:50 +0100
 Processing by GuineaPigController#index as HTML
 Completed 200 OK in 23ms
+Started GET "/" for ::1 at 2014-12-29 16:05:04 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 7ms
+Started GET "/" for ::1 at 2014-12-29 16:05:16 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 0ms
+Started GET "/" for ::1 at 2014-12-29 16:05:43 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 1ms
+Started GET "/" for ::1 at 2014-12-29 16:07:32 +0100
+Processing by GuineaPigController#index as HTML
+Completed 200 OK in 0ms
+Started GET "/create" for ::1 at 2014-12-29 16:07:40 +0100
+ActionController::RoutingError (No route matches [GET] "/create"):
+  actionpack (4.2.0) lib/action_dispatch/middleware/debug_exceptions.rb:21:in `call'
+  actionpack (4.2.0) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
+  railties (4.2.0) lib/rails/rack/logger.rb:38:in `call_app'
+  railties (4.2.0) lib/rails/rack/logger.rb:20:in `block in call'
+  activesupport (4.2.0) lib/active_support/tagged_logging.rb:68:in `block in tagged'
+  activesupport (4.2.0) lib/active_support/tagged_logging.rb:26:in `tagged'
+  activesupport (4.2.0) lib/active_support/tagged_logging.rb:68:in `tagged'
+  railties (4.2.0) lib/rails/rack/logger.rb:20:in `call'
+  actionpack (4.2.0) lib/action_dispatch/middleware/request_id.rb:21:in `call'
+  rack (1.6.0) lib/rack/methodoverride.rb:22:in `call'
+  rack (1.6.0) lib/rack/runtime.rb:18:in `call'
+  activesupport (4.2.0) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
+  rack (1.6.0) lib/rack/lock.rb:17:in `call'
+  actionpack (4.2.0) lib/action_dispatch/middleware/static.rb:113:in `call'
+  rack (1.6.0) lib/rack/sendfile.rb:113:in `call'
+  railties (4.2.0) lib/rails/engine.rb:518:in `call'
+  railties (4.2.0) lib/rails/application.rb:164:in `call'
+  rack (1.6.0) lib/rack/lock.rb:17:in `call'
+  rack (1.6.0) lib/rack/content_length.rb:15:in `call'
+  rack (1.6.0) lib/rack/handler/webrick.rb:89:in `service'
+  /Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/httpserver.rb:138:in `service'
+  /Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/httpserver.rb:94:in `run'
+  /Users/nakhli/.rvm/rubies/ruby-2.1.3/lib/ruby/2.1.0/webrick/server.rb:295:in `block in start_thread'
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb (0.9ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/routes/_route.html.erb (0.5ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/routes/_table.html.erb (3.8ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb (1.1ms)
+  Rendered /Users/nakhli/.rvm/gems/ruby-2.1.3@angular_csrf/gems/actionpack-4.2.0/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb within rescues/layout (19.4ms)