Set up Rails CSRF to play nice with Axios default CSRF behavior #96

bknoles · 2023-06-26T02:23:09Z

Resolves #71

More discussion there and #72

bknoles · 2023-06-26T14:50:13Z

lib/inertia_rails/controller.rb

@@ -11,6 +11,10 @@ module Controller
        InertiaRails.share(errors: session[:inertia_errors]) if session[:inertia_errors].present?
      end
      helper ::InertiaRails::Helper
+
+      after_action do
+        cookies['XSRF-TOKEN'] = form_authenticity_token unless request.inertia? || !protect_against_forgery?


This is essentially lifted from @buhrmi 's #72

bknoles · 2023-06-26T14:55:20Z

lib/inertia_rails/middleware.rb

@@ -89,6 +90,10 @@ def force_refresh(request)
        request.flash.keep
        Rack::Response.new('', 409, {'X-Inertia-Location' => request.original_url}).finish
      end
+
+      def copy_xsrf_to_csrf!
+        @env['HTTP_X_CSRF_TOKEN'] = @env['HTTP_X_XSRF_TOKEN'] if @env['HTTP_X_XSRF_TOKEN'] && inertia_request?


These changes basically translate Axios's CSRF defaults into Rails's CSRF defaults, and only for Inertia requests

bknoles · 2023-06-26T15:04:31Z

spec/inertia/request_spec.rb

@@ -96,4 +96,40 @@

    it { is_expected.to eq 302 }
  end
+
+  describe 'CSRF' do


I set out to actually test the entire CSRF flow. I wanted:

A test showing that an X-CSRF-Token header passes CSRF (essentially verifying Rails default behavior)

A failing test showing that an X-XSRF-Token (like Axios will send) fails CSRF

Write the code that translates Axios to Rails

See that red test turn a sweet green

Turns out that's a nontrivial thing to do! RSpec request tests don't give you access to a session before a request, so it's really difficult to do something like mocking out a form_authenticity_token.

System tests are better suited for testing stateful session based workflows, but the amount of setup required for that did not feel worth it here.

I learned a lot about Rails's CSRF internals along the way!

bknoles · 2023-06-26T15:06:13Z

spec/support/helper_module.rb

@@ -0,0 +1,11 @@
+module HelperModule
+  def with_forgery_protection


I wanted this for my theoretical full CSRF testing as described above. Still somewhat useful to verify that we only add the XSRF-Token cookie on requests with forgery protection.

PedroAugustoRamalhoDuarte · 2023-07-25T16:28:51Z

It's an excellent feature that enables quick setup of Inertia client-side following the website https://inertiajs.com/client-side-setup

Set up Rails CSRF to play nice with Axios default CSRF behavior

6619f7d

bknoles requested a review from BrandonShar June 26, 2023 14:45

bknoles commented Jun 26, 2023

View reviewed changes

Remove (brittle) CSRF workaround from installer files

8b74371

bknoles merged commit 1ff089d into master Aug 21, 2023

bknoles deleted the csrf-via-middleware branch August 21, 2023 20:36

jordanhiltunen mentioned this pull request May 27, 2024

Align CSRF cookie provisioning with Laravel's precedents to eliminate ActionController::InvalidAuthenticityToken edge cases #119

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Set up Rails CSRF to play nice with Axios default CSRF behavior #96

Set up Rails CSRF to play nice with Axios default CSRF behavior #96

bknoles commented Jun 26, 2023

bknoles Jun 26, 2023

bknoles Jun 26, 2023

bknoles Jun 26, 2023

bknoles Jun 26, 2023

PedroAugustoRamalhoDuarte commented Jul 25, 2023

		@@ -0,0 +1,11 @@
		module HelperModule
		def with_forgery_protection

Set up Rails CSRF to play nice with Axios default CSRF behavior #96

Set up Rails CSRF to play nice with Axios default CSRF behavior #96

Conversation

bknoles commented Jun 26, 2023

bknoles Jun 26, 2023

Choose a reason for hiding this comment

bknoles Jun 26, 2023

Choose a reason for hiding this comment

bknoles Jun 26, 2023

Choose a reason for hiding this comment

bknoles Jun 26, 2023

Choose a reason for hiding this comment

PedroAugustoRamalhoDuarte commented Jul 25, 2023