nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Sign out users with wrong CSRF tokens

Browse source 
See http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
This commit is contained in:
Steffen van Bergerem 2016-09-02 20:15:17 +02:00 committed by Dennis Schubert
parent 806de7e9d8
commit 6ad9000f8c
No known key found for this signature in database
GPG key ID: 5A0304BEA7966D7E
3 changed files with 56 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/application_controller.rb
View file

@ -5,7 +5,13 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
before_action :force_tablet_html before_action :force_tablet_html
has_mobile_fu has_mobile_fu
protect_from_forgery except: :receive protect_from_forgery except: :receive, with: :exception
rescue_from ActionController::InvalidAuthenticityToken do
sign_out current_user
flash[:error] = I18n.t("error_messages.csrf_token_fail")
redirect_to new_user_session_path format: request[:format]
end
before_action :ensure_http_referer_is_set before_action :ensure_http_referer_is_set
before_action :set_locale before_action :set_locale

1
config/locales/diaspora/en.yml
View file

@ -75,6 +75,7 @@ en:
helper: helper:
correct_the_following_errors_and_try_again: "Correct the following errors and try again." correct_the_following_errors_and_try_again: "Correct the following errors and try again."
need_javascript: "This website requires JavaScript to function properly. If you disabled JavaScript, please enable it and refresh this page." need_javascript: "This website requires JavaScript to function properly. If you disabled JavaScript, please enable it and refresh this page."
csrf_token_fail: "The CSRF token is invalid. Please sign in and try again."
admins: admins:
admin_bar: admin_bar:

48
spec/integration/application_spec.rb Normal file
View file

@ -0,0 +1,48 @@
require "spec_helper"
describe ApplicationController, type: :request do
describe "csrf token validation" do
context "without a current user" do
before do
@user = alice
@user.password = "evankorth"
@user.password_confirmation = "evankorth"
@user.save
end
it "redirects to the new session page on validation fails" do
expect_any_instance_of(SessionsController).to receive(:verified_request?).and_return(false)
post "/users/sign_in", user: {remember_me: 0, username: @user.username, password: "evankorth"}
expect(response).to redirect_to new_user_session_path
expect(flash[:error]).to eq(I18n.t("error_messages.csrf_token_fail"))
end
it "doesn't redirect to the new session page if the validation succeeded" do
expect_any_instance_of(SessionsController).to receive(:verified_request?).and_return(true)
post "/users/sign_in", user: {remember_me: 0, username: @user.username, password: "evankorth"}
expect(response).to redirect_to stream_path
expect(flash[:error]).to be_blank
end
end
context "with a current user" do
before do
sign_in alice
end
it "signs out users if a wrong token was given" do
expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(false)
put edit_user_path, user: {language: "en"}
expect(response).to redirect_to new_user_session_path
expect(flash[:error]).to eq(I18n.t("error_messages.csrf_token_fail"))
end
it "doesn't sign out users if the token was correct" do
expect_any_instance_of(UsersController).to receive(:verified_request?).and_return(true)
put edit_user_path, user: {language: "en"}
expect(response).not_to be_redirect
expect(flash[:error]).to be_blank
end
end
end
end