invalid_authenticity_token_rescue 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: abe9b291f63dcf0eb474c08570b21cc9541275a2
+  data.tar.gz: 96d82d018a762e629d87087b03bdaf550a1fbcc0
+SHA512:
+  metadata.gz: 2a31ee1e0cf77387d702748ad76ce217fb88736248a13e974c76d974334ca3e9a5f2a136351bd37f31f2e0d161048c72e2b494206b4e0c28e1486536c0600500
+  data.tar.gz: e7b03f83b556977162ec54c63676f1c4314d499401b4d0b035ab8d833baa939eae4e6a0557975fcf65f8a0ead5336bac4fe68d53472a617839ffda4638cd2da5

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2017 Aaron Baldwin
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,45 @@
+# InvalidAuthenticityTokenRescue
+Rails 5 default protect_from_forgery is to raise an exception. Some browsers trigger this exception by caching pages. This gem rescues the InvalidAuthenticityToken exception, triggers ExceptionNotifier, and redirects to the login page. For more details and steps to reprodcue the problem see this issue: https://github.com/rails/rails/issues/21948.
+
+With the default Rails 5 settings users receive an error page when an InvalidAuthenticityToken is raised. For actual malicious requests this would be fine. However, with the way some broswers cache pages legitimate users are getting these error pages and sometimes make repreated unsuccessful attempts to sumbmit a form.
+
+With this gem in place when an InvalidAuthenticityToken is raised it will be rescued. The error information is captured and notifications are sent to developers. The user will be redirected to new_session_path with flash warning set to *"Your session has expired, please log in again"*.
+
+## ExceptionNotification Gem Required
+Install and congiure the [exception_notifcation](https://github.com/smartinez87/exception_notification) gem first to receive notifications when InvalidAuthenticityToken exceptions are raised.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'invalid_authenticity_token_rescue'
+```
+
+Add **rescue_from_invalid_authenticity_token** to your ApplicationController:
+
+```ruby
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception
+  rescue_from_invalid_authenticity_token
+  ...
+end
+```
+
+Add **skip_before_action** to public forms (optional):
+
+```ruby
+class SessionsController < ApplicationController
+  skip_before_action :verify_authenticity_token, on: :create
+  ...
+end
+```
+
+Adding **skip_before_action** is optional but will improve user experience. Rails **protect_from_forgery** is intended to prevent a logged in user's credentials from being maliciously used to submit a form as that user. Publicly accessible forms, like a login page, that do not rely on a currently logged in user are not susceptible to forgery attacks.
+
+Adding **skip_before_action** will allow the request to complete and the users session to be setup with the correct token. Subsequent forms submitted by the user will complete successfully. If **skip_before_action** is not added the user will be redirected to the login page and notifed that their session has expired and they need to login again.
+
+## Contributing
+Bug reports and pull requests are welcome on GitHub at https://github.com/wwidea/invalid_authenticity_token_rescue.
+
+## License
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,34 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'InvalidAuthenticityTokenRescue'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/lib/invalid_authenticity_token_rescue.rb

@@ -0,0 +1,21 @@
+require 'invalid_authenticity_token_rescue/railtie'
+
+module InvalidAuthenticityTokenRescue
+  module RescueFromInvalidAuthenticityToken
+    extend ActiveSupport::Concern
+    
+    module ClassMethods
+      def rescue_from_invalid_authenticity_token
+        rescue_from ActionController::InvalidAuthenticityToken, with: :invalid_authenticity_token
+      end
+    end
+    
+    protected
+    
+    def invalid_authenticity_token(exception)
+      ExceptionNotifier.notify_exception(exception, env: request.env)
+      flash[:warning] = 'Your session has expired, please log in again'
+      redirect_to new_session_path
+    end
+  end
+end

data/lib/invalid_authenticity_token_rescue/railtie.rb

@@ -0,0 +1,9 @@
+module InvalidAuthenticityTokenRescue
+  class Railtie < Rails::Railtie
+    initializer "invalid_authenticity_token_rescue" do
+      ActiveSupport.on_load :action_controller do
+        ActionController::Base.include InvalidAuthenticityTokenRescue::RescueFromInvalidAuthenticityToken
+      end
+    end
+  end
+end

data/lib/invalid_authenticity_token_rescue/version.rb

@@ -0,0 +1,3 @@
+module InvalidAuthenticityTokenRescue
+  VERSION = '0.1.0'
+end

data/lib/tasks/invalid_authenticity_token_rescue_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :invalid_authenticity_token_rescue do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: invalid_authenticity_token_rescue
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Aaron Baldwin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-04-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 5.0.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+- !ruby/object:Gem::Dependency
+  name: exception_notification
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.1
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Rails 5 default protect_from_forgery is to raise an exception. Some browsers
+  trigger this exception by caching pages. This gem rescues the InvalidAuthenticityToken
+  exception, triggers ExceptionNotifier, and redirects to the login page.
+email:
+- baldwina@brightwayslearning.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/invalid_authenticity_token_rescue.rb
+- lib/invalid_authenticity_token_rescue/railtie.rb
+- lib/invalid_authenticity_token_rescue/version.rb
+- lib/tasks/invalid_authenticity_token_rescue_tasks.rake
+homepage: https://github.com/wwidea/invalid_authenticity_token_rescue
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Rescues from Rails 5 InvalidAuthenticityToken exception
+test_files: []