From 31e9fe3c2e12b5a989035f8fbadf0264e3cf416b Mon Sep 17 00:00:00 2001 From: moveson Date: Fri, 10 Nov 2023 21:05:14 -0700 Subject: [PATCH] Remove all CSRF checks from API endpoints --- app/controllers/api_controller.rb | 6 +----- app/models/user.rb | 2 -- .../core_extensions/devise/strategies/jwt_strategy.rb | 1 - 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 6f4109833..a0c932fd0 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -3,7 +3,7 @@ class ApiController < ::ApplicationController include Rails::Pagination protect_from_forgery with: :null_session - skip_before_action :verify_authenticity_token, if: :json_web_token_present? + skip_before_action :verify_authenticity_token before_action :authenticate_user! after_action :verify_authorized rescue_from ActiveRecord::RecordNotFound, with: :record_not_found_json @@ -22,8 +22,4 @@ def live_entry_unavailable(resource) {reportText: "Live entry for #{resource.name} is currently unavailable. " + "Please enable live entry access through the admin/settings page."} end - - def json_web_token_present? - !!current_user&.has_json_web_token - end end diff --git a/app/models/user.rb b/app/models/user.rb index b1690b400..91dc0413f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,8 +81,6 @@ def self.search_name_email(search_param) "#{search_param}%", "#{search_param}%", "%#{search_param}%") end - attr_accessor :has_json_web_token - def to_s slug end diff --git a/config/initializers/core_extensions/devise/strategies/jwt_strategy.rb b/config/initializers/core_extensions/devise/strategies/jwt_strategy.rb index dfc87b351..f649d7412 100644 --- a/config/initializers/core_extensions/devise/strategies/jwt_strategy.rb +++ b/config/initializers/core_extensions/devise/strategies/jwt_strategy.rb @@ -11,7 +11,6 @@ def authenticate! env["devise.skip_trackable"] = true user = User.find(payload["sub"]) - user.has_json_web_token = true success! user rescue JWT::ExpiredSignature fail! "Auth token has expired"