RubyGems - angular_rails_csrf - Versions diffs - 4.4.0 → 4.5.0 - Mend

angular_rails_csrf 4.4.0 → 4.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +14 -0
data/lib/angular_rails_csrf/concern.rb +11 -18
data/lib/angular_rails_csrf/version.rb +1 -1
data/test/angular_rails_csrf_test.rb +12 -0
data/test/dummy/log/test.log +288 -0
metadata +4 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f310f1cd6d8278d5b0a669bb7123a802b68cfdcda1ec443de09b85a757c10eb3
-  data.tar.gz: 4eaec5f2dcf567dd0b8cf2c7374a0a1b95c965f3226204b729cfff7aa765f6ea
+  metadata.gz: fbbe5d4e901a8407bab7ff813f821b21461330470f2e6002d4e3d1a818eea858
+  data.tar.gz: 0e69f2eefcb28ae04e1b3de4ba04d00e6e3977235b725fa26d83d46ce33bcd3f
 SHA512:
-  metadata.gz: e44c7ab3ebfefe2dbcbe184243d03ba5f0eac7aa7b0b760aaf7cbd878468394cc519e7433bf72ef2dfd8ffcf3e0e099a18290035b86760e5143bf11a3236f42f
-  data.tar.gz: 57ce6512718fd75d5fbeb82e54577314b448b3c1b9e4714ad9b8b1021033501bc481e2d70a4f1b3c930727aa020a827535a357319e7a8928ba10e158d6ce8478
+  metadata.gz: 8ab71939bec130bfc22e79dabff8e904591990c178b03de610cb5592aa41bb6aeab73cf34340efe77592179c94b1b455029ee50f94955eca2f2bb28955f4f3f1
+  data.tar.gz: 0571fe4d59a0ed421942c37f357d34b3fd05f2fa8f5a98801d327d9054bf8cb5123f4b2c833053a34e82d96d103e53300d29c3303628c1c6d2a2d63bd43c07b7

data/README.md CHANGED

@@ -82,6 +82,20 @@ end
 Please note that [Safari is known to have issues](https://bugs.webkit.org/show_bug.cgi?id=198181) with SameSite attribute set to `:none`.
+### HttpOnly Cookie
+To set the ["httponly" flag](https://owasp.org/www-community/HttpOnly) for your cookie, set the `angular_rails_csrf_httponly` option to `true`:
+```ruby
+# application.rb
+class Application < Rails::Application
+  #...
+  config.angular_rails_csrf_httponly = true
+end
+```
+`angular_rails_csrf_httponly` defaults to `false`.
 ### Exclusions
 Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed [here](https://github.com/jsanders/angular_rails_csrf/issues/7)):

data/lib/angular_rails_csrf/concern.rb CHANGED

@@ -13,17 +13,20 @@ module AngularRailsCsrf
       config = Rails.application.config
-      same_site = same_site_from config
-      secure = secure_from config
+      secure = option_from config, :angular_rails_csrf_secure
+      same_site = option_from config, :angular_rails_csrf_same_site, :lax
       cookie_options = {
         value: form_authenticity_token,
-        domain: domain_from(config),
+        domain: option_from(config, :angular_rails_csrf_domain),
         same_site: same_site,
+        httponly: option_from(config, :angular_rails_csrf_httponly, false),
         secure: same_site.eql?(:none) || secure
       }
-      cookie_name = cookie_name_from config
+      cookie_name = option_from(config,
+                                :angular_rails_csrf_cookie_name,
+                                'XSRF-TOKEN')
       cookies[cookie_name] = cookie_options
     end
@@ -33,20 +36,10 @@ module AngularRailsCsrf
     private
-    def same_site_from(config)
-      config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax
-    end
-    def secure_from(config)
-      config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure)
-    end
-    def domain_from(config)
-      config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
-    end
-    def cookie_name_from(config)
-      config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
+    # Fetches the given option from config
+    # If the option is not set, return a default value
+    def option_from(config, option, default = nil)
+      config.respond_to?(option) ? config.send(option) : default
     end
     module ClassMethods

data/lib/angular_rails_csrf/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module AngularRailsCsrf
-  VERSION = '4.4.0'
+  VERSION = '4.5.0'
 end

data/test/angular_rails_csrf_test.rb CHANGED

@@ -78,6 +78,18 @@ class AngularRailsCsrfTest < ActionController::TestCase
     end
   end
+  test 'the httponly flag is set if configured' do
+    config = Rails.application.config
+    config.define_singleton_method(:angular_rails_csrf_httponly) { true }
+    get :index
+    assert @response.headers['Set-Cookie'].include?('HttpOnly')
+    assert_valid_cookie
+    assert_response :success
+  ensure
+    config.instance_eval('undef :angular_rails_csrf_httponly', __FILE__, __LINE__)
+  end
   test 'same_site is set to Lax by default' do
     get :index
     assert @response.headers['Set-Cookie'].include?('SameSite=Lax')

data/test/dummy/log/test.log CHANGED

@@ -1934,3 +1934,291 @@ AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_ag
 -------------------------------------------------------------------------------------------------------------
 Processing by ApiController#index as HTML
 Completed 200 OK in 0ms (Allocations: 84)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms (Allocations: 192)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 105)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 74)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 115)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 110)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 98)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 12ms (Allocations: 3012)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 111)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 6ms (Allocations: 2927)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 500 Internal Server Error in 6ms (Allocations: 3046)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 74)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 98)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 128)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 114)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms (Allocations: 104)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 116)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 115)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 98)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms (Allocations: 125)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 168)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms (Allocations: 131)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 105)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 103)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 115)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 74)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: angular_rails_csrf
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.5.0
 platform: ruby
 authors:
 - James Sanders
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-04 00:00:00.000000000 Z
+date: 2020-09-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -45,14 +45,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.2
+        version: 6.0.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.2
+        version: 6.0.3.3
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement