Skip to content

Commit

Permalink
Merge pull request #1186 from SplitTime/oveson/remove-csrf-verificati…
Browse files Browse the repository at this point in the history
…on-from-api

Remove all CSRF checks from API endpoints
  • Loading branch information
moveson authored Nov 11, 2023
2 parents 6d253cc + 31e9fe3 commit 451ea4a
Show file tree
Hide file tree
Showing 3 changed files with 1 addition and 8 deletions.
6 changes: 1 addition & 5 deletions app/controllers/api_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
class ApiController < ::ApplicationController
include Rails::Pagination
protect_from_forgery with: :null_session
skip_before_action :verify_authenticity_token, if: :json_web_token_present?
skip_before_action :verify_authenticity_token
before_action :authenticate_user!
after_action :verify_authorized
rescue_from ActiveRecord::RecordNotFound, with: :record_not_found_json
Expand All @@ -22,8 +22,4 @@ def live_entry_unavailable(resource)
{reportText: "Live entry for #{resource.name} is currently unavailable. " +
"Please enable live entry access through the admin/settings page."}
end

def json_web_token_present?
!!current_user&.has_json_web_token
end
end
2 changes: 0 additions & 2 deletions app/models/user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,6 @@ def self.search_name_email(search_param)
"#{search_param}%", "#{search_param}%", "%#{search_param}%")
end

attr_accessor :has_json_web_token

def to_s
slug
end
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ def authenticate!

env["devise.skip_trackable"] = true
user = User.find(payload["sub"])
user.has_json_web_token = true
success! user
rescue JWT::ExpiredSignature
fail! "Auth token has expired"
Expand Down

0 comments on commit 451ea4a

Please sign in to comment.