RubyGems - angular_rails_csrf - Versions diffs - 4.5.0 → 6.0.0 - Mend

angular_rails_csrf 4.5.0 → 6.0.0

Files changed (19) hide show

checksums.yaml +4 -4
data/README.md +9 -5
data/lib/angular_rails_csrf/concern.rb +22 -13
data/lib/angular_rails_csrf/version.rb +1 -1
metadata +13 -138
data/test/angular_rails_csrf_exception_test.rb +0 -18
data/test/angular_rails_csrf_skip_test.rb +0 -14
data/test/angular_rails_csrf_test.rb +0 -152
data/test/dummy/app/assets/config/manifest.js +0 -4
data/test/dummy/app/controllers/api_controller.rb +0 -7
data/test/dummy/app/controllers/application_controller.rb +0 -13
data/test/dummy/app/controllers/exclusions_controller.rb +0 -9
data/test/dummy/config/application.rb +0 -16
data/test/dummy/config/boot.rb +0 -6
data/test/dummy/config/environment.rb +0 -7
data/test/dummy/config/routes.rb +0 -10
data/test/dummy/config.ru +0 -6
data/test/dummy/log/test.log +0 -2224
data/test/test_helper.rb +0 -18

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbbe5d4e901a8407bab7ff813f821b21461330470f2e6002d4e3d1a818eea858
-  data.tar.gz: 0e69f2eefcb28ae04e1b3de4ba04d00e6e3977235b725fa26d83d46ce33bcd3f
+  metadata.gz: fd1f93c61de73220bcc0827bc1b460b0fd4440f5ec8597b01687aa2e0d50800e
+  data.tar.gz: 0a0133f2183e46d61798a0501ce8ebff0c43310210c8fdd245b8436289e10756
 SHA512:
-  metadata.gz: 8ab71939bec130bfc22e79dabff8e904591990c178b03de610cb5592aa41bb6aeab73cf34340efe77592179c94b1b455029ee50f94955eca2f2bb28955f4f3f1
-  data.tar.gz: 0571fe4d59a0ed421942c37f357d34b3fd05f2fa8f5a98801d327d9054bf8cb5123f4b2c833053a34e82d96d103e53300d29c3303628c1c6d2a2d63bd43c07b7
+  metadata.gz: fff212dd32057d2b57b26331d859354c4e969593e8e03901d8d002ac112b11694a04d47bd8432d4bd7e90ad52d1a3b14ec150e26d297f714891fab72c42a9b6a
+  data.tar.gz: d126f472156857b4b7460514de8fffe786ee697caee3835059bf8794cfbc5344e1c8c7473312fdb53bed369cf1622950f3b08f3c6acd7d70da009483d8e9e37e

data/README.md CHANGED Viewed

@@ -1,8 +1,8 @@
 ## AngularJS-style CSRF Protection for Rails
-[![Gem Version](https://badge.fury.io/rb/angular_rails_csrf.svg)](https://badge.fury.io/rb/angular_rails_csrf)
-[![Build Status](https://travis-ci.org/jsanders/angular_rails_csrf.svg)](https://travis-ci.org/jsanders/angular_rails_csrf)
-[![Test Coverage](https://codecov.io/gh/jsanders/angular_rails_csrf/graph/badge.svg)](https://codecov.io/gh/jsanders/angular_rails_csrf)
+![Gem](https://img.shields.io/gem/v/angular_rails_csrf)
+![CI](https://github.com/jsanders/angular_rails_csrf/actions/workflows/ci.yml/badge.svg)
+![Downloads total](https://img.shields.io/gem/dt/angular_rails_csrf)
 The AngularJS [ng.$http](http://docs.angularjs.org/api/ng.$http) service has built-in CSRF protection. By default, it looks for a cookie named `XSRF-TOKEN` and, if found, writes its value into an `X-XSRF-TOKEN` header, which the server compares with the CSRF token saved in the user's session.
@@ -16,11 +16,15 @@ Check [version compatibility](https://github.com/jsanders/angular_rails_csrf/wik
 Add this line to your application's *Gemfile*:
-    gem 'angular_rails_csrf'
+```ruby
+gem 'angular_rails_csrf'
+```
 And then execute:
-    $ bundle
+```console
+$ bundle
+```
 That's it!

data/lib/angular_rails_csrf/concern.rb CHANGED Viewed

@@ -9,25 +9,15 @@ module AngularRailsCsrf
     end
     def set_xsrf_token_cookie
-      return unless defined?(protect_against_forgery?) && protect_against_forgery? && !respond_to?(:__exclude_xsrf_token_cookie?)
+      return unless forgery_protection_enabled?
       config = Rails.application.config
-      secure = option_from config, :angular_rails_csrf_secure
-      same_site = option_from config, :angular_rails_csrf_same_site, :lax
-      cookie_options = {
-        value: form_authenticity_token,
-        domain: option_from(config, :angular_rails_csrf_domain),
-        same_site: same_site,
-        httponly: option_from(config, :angular_rails_csrf_httponly, false),
-        secure: same_site.eql?(:none) || secure
-      }
       cookie_name = option_from(config,
                                 :angular_rails_csrf_cookie_name,
                                 'XSRF-TOKEN')
-      cookies[cookie_name] = cookie_options
+      cookies[cookie_name] = cookie_options_from(config)
     end
     def verified_request?
@@ -36,12 +26,31 @@ module AngularRailsCsrf
     private
+    def cookie_options_from(config)
+      secure = option_from config, :angular_rails_csrf_secure
+      same_site = option_from config, :angular_rails_csrf_same_site, :lax
+      {
+        value: form_authenticity_token,
+        domain: option_from(config, :angular_rails_csrf_domain),
+        same_site: same_site,
+        httponly: option_from(config, :angular_rails_csrf_httponly, false),
+        secure: same_site.eql?(:none) || secure
+      }
+    end
     # Fetches the given option from config
     # If the option is not set, return a default value
     def option_from(config, option, default = nil)
       config.respond_to?(option) ? config.send(option) : default
     end
+    def forgery_protection_enabled?
+      defined?(protect_against_forgery?) &&
+        protect_against_forgery? &&
+        !respond_to?(:__exclude_xsrf_token_cookie?)
+    end
     module ClassMethods
       def exclude_xsrf_token_cookie
         class_eval do

data/lib/angular_rails_csrf/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module AngularRailsCsrf
-  VERSION = '4.5.0'
+  VERSION = '6.0.0'
 end

metadata CHANGED Viewed

@@ -1,58 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: angular_rails_csrf
 version: !ruby/object:Gem::Version
-  version: 4.5.0
+  version: 6.0.0
 platform: ruby
 authors:
 - James Sanders
-- Ilya Bodrov
-autorequire:
+- Ilya Krukowski
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-21 00:00:00.000000000 Z
+date: 2023-11-14 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: test-unit
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: rails
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 6.0.3.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 6.0.3.3
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -62,7 +20,7 @@ dependencies:
         version: '3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '7'
+        version: '8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -72,63 +30,7 @@ dependencies:
         version: '3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '7'
-- !ruby/object:Gem::Dependency
-  name: codecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.1'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.60'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.60'
-- !ruby/object:Gem::Dependency
-  name: rubocop-performance
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
+        version: '8'
 description: AngularJS style CSRF protection for Rails
 email:
 - sanderjd@gmail.com
@@ -143,25 +45,12 @@ files:
 - lib/angular_rails_csrf/concern.rb
 - lib/angular_rails_csrf/railtie.rb
 - lib/angular_rails_csrf/version.rb
-- test/angular_rails_csrf_exception_test.rb
-- test/angular_rails_csrf_skip_test.rb
-- test/angular_rails_csrf_test.rb
-- test/dummy/app/assets/config/manifest.js
-- test/dummy/app/controllers/api_controller.rb
-- test/dummy/app/controllers/application_controller.rb
-- test/dummy/app/controllers/exclusions_controller.rb
-- test/dummy/config.ru
-- test/dummy/config/application.rb
-- test/dummy/config/boot.rb
-- test/dummy/config/environment.rb
-- test/dummy/config/routes.rb
-- test/dummy/log/test.log
-- test/test_helper.rb
 homepage: https://github.com/jsanders/angular_rails_csrf
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -169,29 +58,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: '3.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key:
+rubygems_version: 3.4.21
+signing_key:
 specification_version: 4
 summary: Support for AngularJS $http service style CSRF protection in Rails
-test_files:
-- test/angular_rails_csrf_exception_test.rb
-- test/angular_rails_csrf_skip_test.rb
-- test/angular_rails_csrf_test.rb
-- test/dummy/app/assets/config/manifest.js
-- test/dummy/app/controllers/api_controller.rb
-- test/dummy/app/controllers/application_controller.rb
-- test/dummy/app/controllers/exclusions_controller.rb
-- test/dummy/config/application.rb
-- test/dummy/config/boot.rb
-- test/dummy/config/environment.rb
-- test/dummy/config/routes.rb
-- test/dummy/config.ru
-- test/dummy/log/test.log
-- test/test_helper.rb
+test_files: []

data/test/angular_rails_csrf_exception_test.rb DELETED Viewed

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-require 'test_helper'
-class AngularRailsCsrfExceptionTest < ActionController::TestCase
-  tests ExclusionsController
-  setup do
-    @controller.allow_forgery_protection = true
-    @correct_token = @controller.send(:form_authenticity_token)
-  end
-  test 'a get does not set the XSRF-TOKEN cookie' do
-    get :index
-    assert_not_equal @correct_token, cookies['XSRF-TOKEN']
-    assert_response :success
-  end
-end

data/test/angular_rails_csrf_skip_test.rb DELETED Viewed

@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-require 'test_helper'
-class AngularRailsCsrfSkipTest < ActionController::TestCase
-  tests ApiController
-  test 'csrf-cookie is not set and no error if protect_against_forgery? is not defined' do
-    refute @controller.respond_to?(:protect_against_forgery?)
-    get :index
-    assert_nil cookies['XSRF-TOKEN']
-    assert_response :success
-  end
-end

data/test/angular_rails_csrf_test.rb DELETED Viewed

@@ -1,152 +0,0 @@
-# frozen_string_literal: true
-require 'test_helper'
-class AngularRailsCsrfTest < ActionController::TestCase
-  tests ApplicationController
-  test 'a get sets the XSRF-TOKEN cookie but does not require the X-XSRF-TOKEN header' do
-    get :index
-    assert_valid_cookie
-    assert_response :success
-  end
-  test 'a post raises an error without the X-XSRF-TOKEN header set' do
-    assert_raises ActionController::InvalidAuthenticityToken do
-      post :create
-    end
-  end
-  test 'a post raises an error with the X-XSRF-TOKEN header set to the wrong value' do
-    header_to 'garbage'
-    assert_raises ActionController::InvalidAuthenticityToken do
-      post :create
-    end
-  end
-  test 'a post is accepted if X-XSRF-TOKEN is set properly' do
-    header_to @controller.send(:form_authenticity_token)
-    post :create
-    assert_valid_cookie
-    assert_response :success
-  end
-  test 'csrf-cookie is not set if exclusion is enabled' do
-    refute @controller.respond_to?(:__exclude_xsrf_token_cookie?)
-    @controller.class_eval { exclude_xsrf_token_cookie }
-    get :index
-    assert_valid_cookie present: false
-    assert @controller.__exclude_xsrf_token_cookie?
-    assert_response :success
-  end
-  test 'the domain is used if present' do
-    config = Rails.application.config
-    def config.angular_rails_csrf_domain
-      :all
-    end
-    get :index
-    assert @response.headers['Set-Cookie'].include?('.test.host')
-    assert_valid_cookie
-    assert_response :success
-  ensure
-    config.instance_eval('undef :angular_rails_csrf_domain', __FILE__, __LINE__)
-  end
-  test 'the secure flag is set if configured' do
-    @request.headers['HTTPS'] = 'on'
-    config = Rails.application.config
-    config.define_singleton_method(:angular_rails_csrf_secure) { true }
-    get :index
-    assert @response.headers['Set-Cookie'].include?('secure')
-    assert_valid_cookie
-    assert_response :success
-  ensure
-    @request.headers['HTTPS'] = nil
-    config.instance_eval('undef :angular_rails_csrf_secure', __FILE__, __LINE__)
-  end
-  test 'a custom name is used if present' do
-    use_custom_cookie_name do
-      get :index
-      assert @response.headers['Set-Cookie'].include?('CUSTOM-COOKIE-NAME')
-      assert_valid_cookie name: 'CUSTOM-COOKIE-NAME'
-      assert_response :success
-    end
-  end
-  test 'the httponly flag is set if configured' do
-    config = Rails.application.config
-    config.define_singleton_method(:angular_rails_csrf_httponly) { true }
-    get :index
-    assert @response.headers['Set-Cookie'].include?('HttpOnly')
-    assert_valid_cookie
-    assert_response :success
-  ensure
-    config.instance_eval('undef :angular_rails_csrf_httponly', __FILE__, __LINE__)
-  end
-  test 'same_site is set to Lax by default' do
-    get :index
-    assert @response.headers['Set-Cookie'].include?('SameSite=Lax')
-    assert_valid_cookie
-    assert_response :success
-  end
-  test 'same_site can be configured' do
-    config = Rails.application.config
-    config.define_singleton_method(:angular_rails_csrf_same_site) { :strict }
-    get :index
-    assert @response.headers['Set-Cookie'].include?('SameSite=Strict')
-    assert_valid_cookie
-    assert_response :success
-  ensure
-    config.instance_eval('undef :angular_rails_csrf_same_site', __FILE__, __LINE__)
-  end
-  test 'secure is set automatically when same_site is set to none' do
-    @request.headers['HTTPS'] = 'on'
-    config = Rails.application.config
-    config.define_singleton_method(:angular_rails_csrf_same_site) { :none }
-    get :index
-    assert @response.headers['Set-Cookie'].include?('SameSite=None')
-    assert @response.headers['Set-Cookie'].include?('secure')
-    assert_valid_cookie
-    assert_response :success
-  ensure
-    config.instance_eval('undef :angular_rails_csrf_same_site', __FILE__, __LINE__)
-  end
-  private
-  # Helpers
-  def header_to(value)
-    @request.headers['X-XSRF-TOKEN'] = value
-  end
-  def assert_valid_cookie(name: 'XSRF-TOKEN', present: true)
-    cookie_valid = @controller.send(:valid_authenticity_token?, session, cookies[name])
-    cookie_valid = !cookie_valid unless present
-    assert cookie_valid
-  end
-  def use_custom_cookie_name
-    config = Rails.application.config
-    def config.angular_rails_csrf_cookie_name
-      'CUSTOM-COOKIE-NAME'
-    end
-    yield
-  ensure
-    eval <<-RUBY, binding, __FILE__, __LINE__ + 1
-      config.instance_eval('undef :angular_rails_csrf_cookie_name')
-    RUBY
-  end
-end

data/test/dummy/app/assets/config/manifest.js DELETED Viewed

@@ -1,4 +0,0 @@
-//= link_tree ../images
-//= link_tree ../fonts
-//= link_directory ../javascripts .js
-//= link_directory ../stylesheets .css

data/test/dummy/app/controllers/api_controller.rb DELETED Viewed

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-class ApiController < ActionController::API
-  def index
-    head :ok
-  end
-end

data/test/dummy/app/controllers/application_controller.rb DELETED Viewed

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-class ApplicationController < ActionController::Base
-  protect_from_forgery with: :exception
-  def index
-    head :ok
-  end
-  def create
-    head :ok
-  end
-end

data/test/dummy/app/controllers/exclusions_controller.rb DELETED Viewed

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-class ExclusionsController < ApplicationController
-  exclude_xsrf_token_cookie
-  def index
-    head :ok
-  end
-end

data/test/dummy/config/application.rb DELETED Viewed

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-require File.expand_path('boot', __dir__)
-require 'action_controller/railtie'
-Bundler.require(:default, Rails.env)
-require 'angular_rails_csrf'
-module Dummy
-  class Application < Rails::Application
-    config.secret_key_base = '5e6b6d2bd7bf26d02679ac958b520adf41b211eb0b8f33742abc5437711d0ad314baf13efc0d35d7568d2e469668a7021cf5e945c667bd16507777aedb770f83'
-    config.eager_load = false # You get yelled at if you don't set this
-    config.active_support.test_order = :random
-  end
-end

data/test/dummy/config/boot.rb DELETED Viewed

@@ -1,6 +0,0 @@
-# frozen_string_literal: true
-# Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../Gemfile', __dir__)
-require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/test/dummy/config/environment.rb DELETED Viewed

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-# Load the Rails application.
-require File.expand_path('application', __dir__)
-# Initialize the Rails application.
-Dummy::Application.initialize!

data/test/dummy/config/routes.rb DELETED Viewed

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-Dummy::Application.routes.draw do
-  get  'test' => 'application#index'
-  post 'test' => 'application#create'
-  get 'exclusions' => 'exclusions#index'
-  get 'index' => 'api#index'
-end

data/test/dummy/config.ru DELETED Viewed

@@ -1,6 +0,0 @@
-# frozen_string_literal: true
-# This file is used by Rack-based servers to start the application.
-require ::File.expand_path('config/environment', __dir__)
-run Rails.application