Remove all CSRF checks from API endpoints

SplitTime · Nov 11, 2023 · 31e9fe3 · 31e9fe3
1 parent 6d253cc
commit 31e9fe3
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 8 deletions.
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
@@ -3,7 +3,7 @@
 class ApiController < ::ApplicationController
   include Rails::Pagination
   protect_from_forgery with: :null_session
-  skip_before_action :verify_authenticity_token, if: :json_web_token_present?
+  skip_before_action :verify_authenticity_token
   before_action :authenticate_user!
   after_action :verify_authorized
   rescue_from ActiveRecord::RecordNotFound, with: :record_not_found_json
@@ -22,8 +22,4 @@ def live_entry_unavailable(resource)
     {reportText: "Live entry for #{resource.name} is currently unavailable. " +
       "Please enable live entry access through the admin/settings page."}
   end
-
-  def json_web_token_present?
-    !!current_user&.has_json_web_token
-  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -81,8 +81,6 @@ def self.search_name_email(search_param)
           "#{search_param}%", "#{search_param}%", "%#{search_param}%")
   end
 
-  attr_accessor :has_json_web_token
-
   def to_s
     slug
   end

diff --git a/config/initializers/core_extensions/devise/strategies/jwt_strategy.rb b/config/initializers/core_extensions/devise/strategies/jwt_strategy.rb
@@ -11,7 +11,6 @@ def authenticate!
 
         env["devise.skip_trackable"] = true
         user = User.find(payload["sub"])
-        user.has_json_web_token = true
         success! user
       rescue JWT::ExpiredSignature
         fail! "Auth token has expired"
-Original file line number
+Diff line change
@@ Expand Up / @@ -81,8 +81,6 @@ def self.search_name_email(search_param) @@
               "#{search_param}%", "#{search_param}%", "%#{search_param}%")
       end
-      attr_accessor :has_json_web_token
       def to_s
         slug
       end
@@ Expand Down @@