angular_rails_csrf 4.0.0 → 4.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fe9fb037133e9bf60dcd922bd29936ab85b8c4c730cba28ac2602703ab24401d
-  data.tar.gz: 652584f4e71bf641625437f9e5c596fc4d33737fd6381b2d30d9ab64aad00049
+  metadata.gz: f310f1cd6d8278d5b0a669bb7123a802b68cfdcda1ec443de09b85a757c10eb3
+  data.tar.gz: 4eaec5f2dcf567dd0b8cf2c7374a0a1b95c965f3226204b729cfff7aa765f6ea
 SHA512:
-  metadata.gz: fcba72111050df7ee9184c1d12ad1ce1bc9c4f006d8fa51e6cfeaa11180609893fc44e055a1274ef631f7fefbee1afaf73217083a01725d5508ce34f263099c8
-  data.tar.gz: 5387400b46c17e2e7edf9b426f45dc83763a43f634d4d8a1baccca4a4d09ae910e17392a7d3391cdfa464b6823908586180aba3d72b52fe7890e766c42bceacd
+  metadata.gz: e44c7ab3ebfefe2dbcbe184243d03ba5f0eac7aa7b0b760aaf7cbd878468394cc519e7433bf72ef2dfd8ffcf3e0e099a18290035b86760e5143bf11a3236f42f
+  data.tar.gz: 57ce6512718fd75d5fbeb82e54577314b448b3c1b9e4714ad9b8b1021033501bc481e2d70a4f1b3c930727aa020a827535a357319e7a8928ba10e158d6ce8478

data/README.md

@@ -2,6 +2,7 @@
 
 [![Gem Version](https://badge.fury.io/rb/angular_rails_csrf.svg)](https://badge.fury.io/rb/angular_rails_csrf)
 [![Build Status](https://travis-ci.org/jsanders/angular_rails_csrf.svg)](https://travis-ci.org/jsanders/angular_rails_csrf)
+[![Test Coverage](https://codecov.io/gh/jsanders/angular_rails_csrf/graph/badge.svg)](https://codecov.io/gh/jsanders/angular_rails_csrf)
 
 The AngularJS [ng.$http](http://docs.angularjs.org/api/ng.$http) service has built-in CSRF protection. By default, it looks for a cookie named `XSRF-TOKEN` and, if found, writes its value into an `X-XSRF-TOKEN` header, which the server compares with the CSRF token saved in the user's session.
 
@@ -9,7 +10,7 @@ This project adds direct support for this scheme to your Rails application witho
 
 Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.
 
-*Version 3 supports only Rails 4+ and Ruby 2.3+. If you are still on Rails 3 (2, 1?!), you have to utilize version 2.1.1!*
+Check [version compatibility](https://github.com/jsanders/angular_rails_csrf/wiki/Version-Compatibility) to learn which Rails/Rubies are currently supported.
 
 ## Installation
 
@@ -51,6 +52,36 @@ end
 
 If `angular_rails_csrf_domain` is not set, it defaults to `nil`.
 
+### Secure Cookie
+
+To set a "secure" flag for the cookie, set the `angular_rails_csrf_secure` option to `true`:
+
+```ruby
+# application.rb
+class Application < Rails::Application
+  #...
+  config.angular_rails_csrf_secure = true
+end
+```
+
+`angular_rails_csrf_secure` defaults to `false`.
+
+### SameSite
+
+The SameSite attribute defaults to `:lax`. You can override this in the config:
+
+```ruby
+# application.rb
+class Application < Rails::Application
+  #...
+  config.angular_rails_csrf_same_site = :strict
+end
+```
+
+**NOTE**: When using `config.angular_rails_csrf_same_site = :none`, this gem automatically sets the cookie to `Secure` (`config.angular_rails_csrf_secure = true`) to comply with [the specifications](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00).
+
+Please note that [Safari is known to have issues](https://bugs.webkit.org/show_bug.cgi?id=198181) with SameSite attribute set to `:none`.
+
 ### Exclusions
 
 Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed [here](https://github.com/jsanders/angular_rails_csrf/issues/7)):
@@ -58,7 +89,7 @@ Sometimes you will want to skip setting the XSRF token for certain controllers (
 ```ruby
 class ExclusionsController < ApplicationController
   exclude_xsrf_token_cookie
-  
+
   # your actions here...
 end
 ```
@@ -77,6 +108,6 @@ and then
 $ rake test
 ```
 
-## License 
+## License
 
 Licensed under the [MIT License](https://github.com/jsanders/angular_rails_csrf/blob/master/LICENSE).

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 begin
   require 'bundler/setup'
 rescue LoadError
@@ -14,19 +16,14 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-
-
-
 Bundler::GemHelper.install_tasks
 
 require 'rake/testtask'
 
 Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.libs << 'test'
+  t.libs = %w[lib test]
   t.pattern = 'test/**/*_test.rb'
   t.verbose = false
 end
 
-
 task default: :test

data/lib/angular_rails_csrf.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'angular_rails_csrf/railtie'

data/lib/angular_rails_csrf/concern.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module AngularRailsCsrf
   module Concern
     extend ActiveSupport::Concern
@@ -7,25 +9,49 @@ module AngularRailsCsrf
     end
 
     def set_xsrf_token_cookie
-      if protect_against_forgery? && !respond_to?(:__exclude_xsrf_token_cookie?)
-        config = Rails.application.config
-        domain = config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
-        cookie_name = config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
-        cookies[cookie_name] = { value: form_authenticity_token, domain: domain }
-      end
+      return unless defined?(protect_against_forgery?) && protect_against_forgery? && !respond_to?(:__exclude_xsrf_token_cookie?)
+
+      config = Rails.application.config
+
+      same_site = same_site_from config
+      secure = secure_from config
+
+      cookie_options = {
+        value: form_authenticity_token,
+        domain: domain_from(config),
+        same_site: same_site,
+        secure: same_site.eql?(:none) || secure
+      }
+
+      cookie_name = cookie_name_from config
+      cookies[cookie_name] = cookie_options
     end
 
     def verified_request?
-      if respond_to?(:valid_authenticity_token?, true)
-        super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
-      else
-        super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
-      end
+      super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
+    end
+
+    private
+
+    def same_site_from(config)
+      config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax
+    end
+
+    def secure_from(config)
+      config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure)
+    end
+
+    def domain_from(config)
+      config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
+    end
+
+    def cookie_name_from(config)
+      config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
     end
 
     module ClassMethods
       def exclude_xsrf_token_cookie
-        self.class_eval do
+        class_eval do
           def __exclude_xsrf_token_cookie?
             true
           end

data/lib/angular_rails_csrf/railtie.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'angular_rails_csrf/concern'
 
 module AngularRailsCsrf

data/lib/angular_rails_csrf/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module AngularRailsCsrf
-  VERSION = '4.0.0'.freeze
+  VERSION = '4.4.0'
 end

data/test/angular_rails_csrf_exception_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class AngularRailsCsrfExceptionTest < ActionController::TestCase
@@ -8,9 +10,9 @@ class AngularRailsCsrfExceptionTest < ActionController::TestCase
     @correct_token = @controller.send(:form_authenticity_token)
   end
 
-  test "a get does not set the XSRF-TOKEN cookie" do
+  test 'a get does not set the XSRF-TOKEN cookie' do
     get :index
     assert_not_equal @correct_token, cookies['XSRF-TOKEN']
     assert_response :success
   end
-end
+end

data/test/angular_rails_csrf_skip_test.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AngularRailsCsrfSkipTest < ActionController::TestCase
+  tests ApiController
+
+  test 'csrf-cookie is not set and no error if protect_against_forgery? is not defined' do
+    refute @controller.respond_to?(:protect_against_forgery?)
+    get :index
+    assert_nil cookies['XSRF-TOKEN']
+    assert_response :success
+  end
+end

data/test/angular_rails_csrf_test.rb

@@ -1,74 +1,140 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class AngularRailsCsrfTest < ActionController::TestCase
   tests ApplicationController
 
-  test "a get sets the XSRF-TOKEN cookie but does not require the X-XSRF-TOKEN header" do
+  test 'a get sets the XSRF-TOKEN cookie but does not require the X-XSRF-TOKEN header' do
     get :index
     assert_valid_cookie
     assert_response :success
   end
 
-  test "a post raises an error without the X-XSRF-TOKEN header set" do
+  test 'a post raises an error without the X-XSRF-TOKEN header set' do
     assert_raises ActionController::InvalidAuthenticityToken do
       post :create
     end
   end
 
-  test "a post raises an error with the X-XSRF-TOKEN header set to the wrong value" do
-    set_header_to 'garbage'
+  test 'a post raises an error with the X-XSRF-TOKEN header set to the wrong value' do
+    header_to 'garbage'
     assert_raises ActionController::InvalidAuthenticityToken do
       post :create
     end
   end
 
-  test "a post is accepted if X-XSRF-TOKEN is set properly" do
-    set_header_to @controller.send(:form_authenticity_token)
+  test 'a post is accepted if X-XSRF-TOKEN is set properly' do
+    header_to @controller.send(:form_authenticity_token)
     post :create
     assert_valid_cookie
     assert_response :success
   end
 
-  test "the domain is used if present" do
+  test 'csrf-cookie is not set if exclusion is enabled' do
+    refute @controller.respond_to?(:__exclude_xsrf_token_cookie?)
+    @controller.class_eval { exclude_xsrf_token_cookie }
+    get :index
+    assert_valid_cookie present: false
+    assert @controller.__exclude_xsrf_token_cookie?
+    assert_response :success
+  end
+
+  test 'the domain is used if present' do
     config = Rails.application.config
-    def config.angular_rails_csrf_domain; :all; end
+    def config.angular_rails_csrf_domain
+      :all
+    end
 
     get :index
     assert @response.headers['Set-Cookie'].include?('.test.host')
     assert_valid_cookie
     assert_response :success
+  ensure
+    config.instance_eval('undef :angular_rails_csrf_domain', __FILE__, __LINE__)
+  end
+
+  test 'the secure flag is set if configured' do
+    @request.headers['HTTPS'] = 'on'
+
+    config = Rails.application.config
+    config.define_singleton_method(:angular_rails_csrf_secure) { true }
+
+    get :index
+    assert @response.headers['Set-Cookie'].include?('secure')
+    assert_valid_cookie
+    assert_response :success
+  ensure
+    @request.headers['HTTPS'] = nil
+    config.instance_eval('undef :angular_rails_csrf_secure', __FILE__, __LINE__)
   end
 
-  test "a custom name is used if present" do
+  test 'a custom name is used if present' do
     use_custom_cookie_name do
       get :index
       assert @response.headers['Set-Cookie'].include?('CUSTOM-COOKIE-NAME')
-      assert_valid_cookie('CUSTOM-COOKIE-NAME')
+      assert_valid_cookie name: 'CUSTOM-COOKIE-NAME'
       assert_response :success
     end
   end
 
+  test 'same_site is set to Lax by default' do
+    get :index
+    assert @response.headers['Set-Cookie'].include?('SameSite=Lax')
+    assert_valid_cookie
+    assert_response :success
+  end
+
+  test 'same_site can be configured' do
+    config = Rails.application.config
+    config.define_singleton_method(:angular_rails_csrf_same_site) { :strict }
+
+    get :index
+    assert @response.headers['Set-Cookie'].include?('SameSite=Strict')
+    assert_valid_cookie
+    assert_response :success
+  ensure
+    config.instance_eval('undef :angular_rails_csrf_same_site', __FILE__, __LINE__)
+  end
+
+  test 'secure is set automatically when same_site is set to none' do
+    @request.headers['HTTPS'] = 'on'
+
+    config = Rails.application.config
+    config.define_singleton_method(:angular_rails_csrf_same_site) { :none }
+
+    get :index
+    assert @response.headers['Set-Cookie'].include?('SameSite=None')
+    assert @response.headers['Set-Cookie'].include?('secure')
+    assert_valid_cookie
+    assert_response :success
+  ensure
+    config.instance_eval('undef :angular_rails_csrf_same_site', __FILE__, __LINE__)
+  end
+
   private
 
   # Helpers
 
-  def set_header_to(value)
+  def header_to(value)
     @request.headers['X-XSRF-TOKEN'] = value
   end
 
-  def assert_valid_cookie(name = 'XSRF-TOKEN')
-    if @controller.respond_to?(:valid_authenticity_token?, true)
-      assert @controller.send(:valid_authenticity_token?, session, cookies[name])
-    else
-      assert_equal @controller.send(:form_authenticity_token), cookies['XSRF-TOKEN']
-    end
+  def assert_valid_cookie(name: 'XSRF-TOKEN', present: true)
+    cookie_valid = @controller.send(:valid_authenticity_token?, session, cookies[name])
+    cookie_valid = !cookie_valid unless present
+    assert cookie_valid
   end
 
   def use_custom_cookie_name
     config = Rails.application.config
-    def config.angular_rails_csrf_cookie_name; 'CUSTOM-COOKIE-NAME'; end
+    def config.angular_rails_csrf_cookie_name
+      'CUSTOM-COOKIE-NAME'
+    end
     yield
   ensure
-    config.instance_eval('undef :angular_rails_csrf_cookie_name')
+    eval <<-RUBY, binding, __FILE__, __LINE__ + 1
+      config.instance_eval('undef :angular_rails_csrf_cookie_name')
+    RUBY
   end
 end

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,4 @@
+//= link_tree ../images
+//= link_tree ../fonts
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/test/dummy/app/controllers/api_controller.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class ApiController < ActionController::API
+  def index
+    head :ok
+  end
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -1,6 +1,13 @@
+# frozen_string_literal: true
+
 class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
-  def index;  head :ok; end
-  def create; head :ok; end
+  def index
+    head :ok
+  end
+
+  def create
+    head :ok
+  end
 end

data/test/dummy/app/controllers/exclusions_controller.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
 class ExclusionsController < ApplicationController
   exclude_xsrf_token_cookie
 
-  def index;  head :ok; end
-end
+  def index
+    head :ok
+  end
+end

data/test/dummy/config.ru

@@ -1,4 +1,6 @@
+# frozen_string_literal: true
+
 # This file is used by Rack-based servers to start the application.
 
-require ::File.expand_path('../config/environment',  __FILE__)
+require ::File.expand_path('config/environment', __dir__)
 run Rails.application

data/test/dummy/config/application.rb

@@ -1,9 +1,11 @@
-require File.expand_path('../boot', __FILE__)
+# frozen_string_literal: true
 
-require "action_controller/railtie"
+require File.expand_path('boot', __dir__)
+
+require 'action_controller/railtie'
 
 Bundler.require(:default, Rails.env)
-require "angular_rails_csrf"
+require 'angular_rails_csrf'
 
 module Dummy
   class Application < Rails::Application
@@ -12,4 +14,3 @@ module Dummy
     config.active_support.test_order = :random
   end
 end
-