make CSRF protection work out of the box (#71)

lib/inertia_rails.rb

@@ -1,6 +1,7 @@
 require 'inertia_rails/renderer'
 require 'inertia_rails/engine'
 
+require 'patches/action_controller'
 require 'patches/debug_exceptions'
 require 'patches/better_errors'
 require 'patches/request'

lib/inertia_rails/controller.rb

@@ -9,6 +9,11 @@ module Controller
         # :inertia_errors are deleted from the session by the middleware
         InertiaRails.share(errors: session[:inertia_errors]) if session[:inertia_errors].present?
       end
+
+      after_action do
+        # Axios by default looks for an XSRF-TOKEN cookie to use for POST requests
+        cookies['XSRF-TOKEN'] = form_authenticity_token unless request.inertia?
+      end
     end
 
     module ClassMethods

lib/patches/action_controller.rb

@@ -0,0 +1,8 @@
+module ActionController
+  module RequestForgeryProtection
+    private
+    def request_authenticity_tokens
+      [form_authenticity_param, request.x_csrf_token, request.headers['X-XSRF-TOKEN']]
+    end
+  end
+end