Skip to content

Instantly share code, notes, and snippets.

@joeytheman
Forked from bgarret/application_controller.rb
Created October 2, 2012 20:26
Show Gist options
  • Save joeytheman/3823071 to your computer and use it in GitHub Desktop.
Save joeytheman/3823071 to your computer and use it in GitHub Desktop.
Rack middleware and form tag patch to insert csrf tokens into cached pages
class ApplicationController < ActionController::Base
TOKEN_PLACEHOLDER = "__CROSS_SITE_REQUEST_FORGERY_PROTECTION_TOKEN__"
before_filter :form_authenticity_token
after_filter :inject_csrf_token
private
def inject_csrf_token
if protect_against_forgery? && token = session['_csrf_token']
if body_with_token = response.body.gsub!(TOKEN_PLACEHOLDER, token)
response.body = body_with_token
logger.info "Injected authenticity token '#{token}'"
end
end
end
end
# Webrat integration test
require 'test_helper'
class AuthenticationTokenStoriesTest < ActionController::IntegrationTest
context "with forgery protection enabled" do
setup { ActionController::Base.allow_forgery_protection = true }
teardown { ActionController::Base.allow_forgery_protection = false }
should "inject authentication token when visiting home page" do
visit '/'
token = session['_csrf_token']
assert token.present?
assert_match Regexp.new(Regexp.escape(token)), response.body
end
end
end
# From http://www.jarrodspillers.com/2010/02/06/trying-to-use-rails-csrf-protection-on-cached-actions-rack-middleware-to-the-rescue/
# Updated for rails 3.1
module ActionView
module Helpers
module FormTagHelper
alias_method :token_tag_rails, :token_tag
def token_tag(token)
if token == false || !protect_against_forgery?
''
else
token = form_authenticity_token if token.nil?
tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => ApplicationController::TOKEN_PLACEHOLDER)
end
end
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment