angular_rails_csrf 2.1.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d93762ebe8c4484575471e50ae7316781bc2cec9
-  data.tar.gz: 84f0881fe1db08179afa56e6f1ec3839a6527408
+SHA256:
+  metadata.gz: 46c071748a311ae8620db42c99aeebbb70e270c17153d33b0afe85cdd4ef6dcf
+  data.tar.gz: 7c99418f7d10eced3a505fdfef58d9a8762ba7b718b5ca08fb9380ed5accbb29
 SHA512:
-  metadata.gz: 657223223e1c1deef539f651191a42718fd5f2dd5086b6ec5be2c876a912e0de6ba352f5740bbfe5166b79a320ac15bb843f21e0b7e276650d5dc4add1656225
-  data.tar.gz: 55e928d9f0f4f5ba9e5b867ff245080ec8e026dc6b8ee7e8440e9efba00135561272984e4bccabd7b6be3b03484cc86935724397d64316d1a91fcd135e6b94e9
+  metadata.gz: 941d76219cfb18d18c07ba8f714600e112430155c261a6cdd2c25f6b10803fa8d0fbfcfa00c3bcfd9b5d30a34e6118991cf46d81353bcd0b45a6672a17ffcc38
+  data.tar.gz: bc619bd6466b724a21492ba7d0411159a9392143af7da19f24abf4968f1c78e48f05792d19cfdc6a89d4d1d13dba887af04d81cec21cf23dfea3546dea163dba

data/README.md

@@ -10,7 +10,9 @@ This project adds direct support for this scheme to your Rails application witho
 
 Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.
 
-### Installation
+*Version 3 supports only Rails 4+ and Ruby 2.3+. If you are still on Rails 3 (2, 1?!), you have to utilize version 2.1.1!*
+
+## Installation
 
 Add this line to your application's *Gemfile*:
 
@@ -22,6 +24,21 @@ And then execute:
 
 That's it!
 
+## Configuration
+### Cookie Domain
+
+Starting from version 3, you may set domain for the XSRF cookie:
+
+```ruby
+# application.rb
+class Application < Rails::Application
+  #...
+  config.angular_rails_csrf_domain = :all
+end
+```
+
+If `angular_rails_csrf_domain` is not set, it defaults to `nil`.
+
 ### Exclusions
 
 Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed [here](https://github.com/jsanders/angular_rails_csrf/issues/7)):
@@ -34,6 +51,20 @@ class ExclusionsController < ApplicationController
 end
 ```
 
-### License 
+## Testing
+
+Run
+
+```console
+$ bundle install
+```
+
+and then
+
+```console
+$ rake test
+```
+
+## License 
 
 Licensed under the [MIT License](https://github.com/jsanders/angular_rails_csrf/blob/master/LICENSE).

data/lib/angular_rails_csrf/concern.rb

@@ -3,16 +3,14 @@ module AngularRailsCsrf
     extend ActiveSupport::Concern
 
     included do
-      if Rails::VERSION::MAJOR < 4
-        after_filter :set_xsrf_token_cookie
-      else
-        after_action :set_xsrf_token_cookie
-      end
+      after_action :set_xsrf_token_cookie
     end
 
     def set_xsrf_token_cookie
       if protect_against_forgery? && !respond_to?(:__exclude_xsrf_token_cookie?)
-        cookies['XSRF-TOKEN'] = form_authenticity_token
+        config = Rails.application.config
+        domain = config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
+        cookies['XSRF-TOKEN'] = { value: form_authenticity_token, domain: domain }
       end
     end
 

data/lib/angular_rails_csrf/railtie.rb

@@ -2,7 +2,7 @@ require 'angular_rails_csrf/concern'
 
 module AngularRailsCsrf
   class Railtie < ::Rails::Railtie
-    initializer 'angular-rails-csrf' do |app|
+    initializer 'angular-rails-csrf' do |_app|
       ActiveSupport.on_load(:action_controller) do
         include AngularRailsCsrf::Concern
       end

data/lib/angular_rails_csrf/version.rb

@@ -1,3 +1,3 @@
 module AngularRailsCsrf
-  VERSION = "2.1.1"
+  VERSION = '3.0.0'.freeze
 end

data/test/angular_rails_csrf_test.rb

@@ -29,13 +29,22 @@ class AngularRailsCsrfTest < ActionController::TestCase
     assert_response :success
   end
 
+  test "the domain is used if present" do
+    config = Rails.application.config
+    def config.angular_rails_csrf_domain; :all; end
+
+    get :index
+    assert @response.headers['Set-Cookie'].include?('.test.host')
+    assert_valid_cookie
+    assert_response :success
+  end
+
   private
 
   # Helpers
 
   def set_header_to(value)
-    # Rails 3 uses `env` and Rails 4 uses `headers`
-    @request.env['X-XSRF-TOKEN'] = @request.headers['X-XSRF-TOKEN'] = value
+    @request.headers['X-XSRF-TOKEN'] = value
   end
 
   def assert_valid_cookie

data/test/dummy/app/controllers/application_controller.rb

@@ -1,13 +1,6 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
-  if Rails::VERSION::MAJOR < 4
-    # Mimic `protect_from_forgery with: :exception` for older Rails versions.
-    def handle_unverified_request
-      raise ActionController::InvalidAuthenticityToken
-    end
-  end
-
   def index;  head :ok; end
   def create; head :ok; end
 end

data/test/dummy/log/test.log

@@ -79,3 +79,297 @@ AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
 ----------------------------------------------------------------------------
 Processing by ExclusionsController#index as HTML
 Completed 200 OK in 1ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 1ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 1ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 1ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 1ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 1ms
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 1ms
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: angular_rails_csrf
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 3.0.0
 platform: ruby
 authors:
 - James Sanders
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-15 00:00:00.000000000 Z
+date: 2018-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -45,14 +45,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.1
+        version: 5.1.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.1
+        version: 5.1.4
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -118,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.12
+rubygems_version: 2.7.4
 signing_key: 
 specification_version: 4
 summary: Support for AngularJS $http service style CSRF protection in Rails