angular_rails_csrf 4.4.0 → 4.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f310f1cd6d8278d5b0a669bb7123a802b68cfdcda1ec443de09b85a757c10eb3
-  data.tar.gz: 4eaec5f2dcf567dd0b8cf2c7374a0a1b95c965f3226204b729cfff7aa765f6ea
+  metadata.gz: fbbe5d4e901a8407bab7ff813f821b21461330470f2e6002d4e3d1a818eea858
+  data.tar.gz: 0e69f2eefcb28ae04e1b3de4ba04d00e6e3977235b725fa26d83d46ce33bcd3f
 SHA512:
-  metadata.gz: e44c7ab3ebfefe2dbcbe184243d03ba5f0eac7aa7b0b760aaf7cbd878468394cc519e7433bf72ef2dfd8ffcf3e0e099a18290035b86760e5143bf11a3236f42f
-  data.tar.gz: 57ce6512718fd75d5fbeb82e54577314b448b3c1b9e4714ad9b8b1021033501bc481e2d70a4f1b3c930727aa020a827535a357319e7a8928ba10e158d6ce8478
+  metadata.gz: 8ab71939bec130bfc22e79dabff8e904591990c178b03de610cb5592aa41bb6aeab73cf34340efe77592179c94b1b455029ee50f94955eca2f2bb28955f4f3f1
+  data.tar.gz: 0571fe4d59a0ed421942c37f357d34b3fd05f2fa8f5a98801d327d9054bf8cb5123f4b2c833053a34e82d96d103e53300d29c3303628c1c6d2a2d63bd43c07b7

data/README.md

@@ -82,6 +82,20 @@ end
 
 Please note that [Safari is known to have issues](https://bugs.webkit.org/show_bug.cgi?id=198181) with SameSite attribute set to `:none`.
 
+### HttpOnly Cookie
+
+To set the ["httponly" flag](https://owasp.org/www-community/HttpOnly) for your cookie, set the `angular_rails_csrf_httponly` option to `true`:
+
+```ruby
+# application.rb
+class Application < Rails::Application
+  #...
+  config.angular_rails_csrf_httponly = true
+end
+```
+
+`angular_rails_csrf_httponly` defaults to `false`.
+
 ### Exclusions
 
 Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed [here](https://github.com/jsanders/angular_rails_csrf/issues/7)):

data/lib/angular_rails_csrf/concern.rb

@@ -13,17 +13,20 @@ module AngularRailsCsrf
 
       config = Rails.application.config
 
-      same_site = same_site_from config
-      secure = secure_from config
+      secure = option_from config, :angular_rails_csrf_secure
+      same_site = option_from config, :angular_rails_csrf_same_site, :lax
 
       cookie_options = {
         value: form_authenticity_token,
-        domain: domain_from(config),
+        domain: option_from(config, :angular_rails_csrf_domain),
         same_site: same_site,
+        httponly: option_from(config, :angular_rails_csrf_httponly, false),
         secure: same_site.eql?(:none) || secure
       }
 
-      cookie_name = cookie_name_from config
+      cookie_name = option_from(config,
+                                :angular_rails_csrf_cookie_name,
+                                'XSRF-TOKEN')
       cookies[cookie_name] = cookie_options
     end
 
@@ -33,20 +36,10 @@ module AngularRailsCsrf
 
     private
 
-    def same_site_from(config)
-      config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax
-    end
-
-    def secure_from(config)
-      config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure)
-    end
-
-    def domain_from(config)
-      config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
-    end
-
-    def cookie_name_from(config)
-      config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
+    # Fetches the given option from config
+    # If the option is not set, return a default value
+    def option_from(config, option, default = nil)
+      config.respond_to?(option) ? config.send(option) : default
     end
 
     module ClassMethods

data/lib/angular_rails_csrf/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AngularRailsCsrf
-  VERSION = '4.4.0'
+  VERSION = '4.5.0'
 end

data/test/angular_rails_csrf_test.rb

@@ -78,6 +78,18 @@ class AngularRailsCsrfTest < ActionController::TestCase
     end
   end
 
+  test 'the httponly flag is set if configured' do
+    config = Rails.application.config
+    config.define_singleton_method(:angular_rails_csrf_httponly) { true }
+
+    get :index
+    assert @response.headers['Set-Cookie'].include?('HttpOnly')
+    assert_valid_cookie
+    assert_response :success
+  ensure
+    config.instance_eval('undef :angular_rails_csrf_httponly', __FILE__, __LINE__)
+  end
+
   test 'same_site is set to Lax by default' do
     get :index
     assert @response.headers['Set-Cookie'].include?('SameSite=Lax')

data/test/dummy/log/test.log

@@ -1934,3 +1934,291 @@ AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_ag
 -------------------------------------------------------------------------------------------------------------
 Processing by ApiController#index as HTML
 Completed 200 OK in 0ms (Allocations: 84)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms (Allocations: 192)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 105)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 74)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 115)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 110)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 98)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 12ms (Allocations: 3012)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 111)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 6ms (Allocations: 2927)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 500 Internal Server Error in 6ms (Allocations: 3046)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 74)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 500 Internal Server Error in 5ms (Allocations: 2927)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 98)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 128)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 114)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 1ms (Allocations: 104)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 116)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 115)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 98)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms (Allocations: 125)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)
+-------------------------------------------------------------------------------------------------------------
+AngularRailsCsrfSkipTest: test_csrf-cookie_is_not_set_and_no_error_if_protect_against_forgery?_is_not_defined
+-------------------------------------------------------------------------------------------------------------
+Processing by ApiController#index as HTML
+Completed 200 OK in 0ms (Allocations: 88)
+-----------------------------------------------------------------
+AngularRailsCsrfTest: test_the_httponly_flag_is_set_if_configured
+-----------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 168)
+-----------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_is_accepted_if_X-XSRF-TOKEN_is_set_properly
+-----------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Completed 200 OK in 0ms (Allocations: 131)
+-------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_without_the_X-XSRF-TOKEN_header_set
+-------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 105)
+---------------------------------------------------------------
+AngularRailsCsrfTest: test_the_secure_flag_is_set_if_configured
+---------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+--------------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_get_sets_the_XSRF-TOKEN_cookie_but_does_not_require_the_X-XSRF-TOKEN_header
+--------------------------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-------------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_is_set_to_Lax_by_default
+-------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_secure_is_set_automatically_when_same_site_is_set_to_none
+------------------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------
+AngularRailsCsrfTest: test_a_custom_name_is_used_if_present
+-----------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+-----------------------------------------------------------------------------------------------------
+AngularRailsCsrfTest: test_a_post_raises_an_error_with_the_X-XSRF-TOKEN_header_set_to_the_wrong_value
+-----------------------------------------------------------------------------------------------------
+Processing by ApplicationController#create as HTML
+Can't verify CSRF token authenticity.
+Completed 422 Unprocessable Entity in 0ms (Allocations: 103)
+--------------------------------------------------------
+AngularRailsCsrfTest: test_the_domain_is_used_if_present
+--------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 115)
+-------------------------------------------------------------------------
+AngularRailsCsrfTest: test_csrf-cookie_is_not_set_if_exclusion_is_enabled
+-------------------------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 74)
+------------------------------------------------------
+AngularRailsCsrfTest: test_same_site_can_be_configured
+------------------------------------------------------
+Processing by ApplicationController#index as HTML
+Completed 200 OK in 0ms (Allocations: 104)
+----------------------------------------------------------------------------
+AngularRailsCsrfExceptionTest: test_a_get_does_not_set_the_XSRF-TOKEN_cookie
+----------------------------------------------------------------------------
+Processing by ExclusionsController#index as HTML
+Completed 200 OK in 0ms (Allocations: 71)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: angular_rails_csrf
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.5.0
 platform: ruby
 authors:
 - James Sanders
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-04 00:00:00.000000000 Z
+date: 2020-09-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -45,14 +45,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.2
+        version: 6.0.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 6.0.3.2
+        version: 6.0.3.3
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement