Skip to content

Commit

Permalink
Version 4.5.0
Browse files Browse the repository at this point in the history
  • Loading branch information
bodrovis committed Sep 21, 2020
1 parent a29bd58 commit 88823a8
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 27 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Changelog

## 4.5.0 (21-Sep-20)

* Added a new [`HttpOnly` option](https://github.com/jsanders/angular_rails_csrf#httponly-cookie) (thanks, [@Lubo-mir](https://github.com/Lubo-mir))
* Introduced some code refactorings

## 4.4.0 (04-Aug-20)

* Make the gem play nicely with controllers that do not have `protect_against_forgery?` method defined — for example, certain Doorkeeper controllers (thanks, [@amenz](https://github.com/amenz))
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ Please note that [Safari is known to have issues](https://bugs.webkit.org/show_b

### HttpOnly Cookie

To set a "httponly" flag for the cookie, set the `angular_rails_csrf_httponly` option to `true`:
To set the ["httponly" flag](https://owasp.org/www-community/HttpOnly) for your cookie, set the `angular_rails_csrf_httponly` option to `true`:

```ruby
# application.rb
Expand Down
2 changes: 1 addition & 1 deletion angular_rails_csrf.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Gem::Specification.new do |s|
s.add_development_dependency 'rake', '~> 13.0'
s.add_development_dependency 'test-unit', '~> 3.2'
if ENV['TEST_RAILS_VERSION'].nil?
s.add_development_dependency 'rails', '6.0.3.2'
s.add_development_dependency 'rails', '6.0.3.3'
else
s.add_development_dependency 'rails', ENV['TEST_RAILS_VERSION'].to_s
end
Expand Down
35 changes: 11 additions & 24 deletions lib/angular_rails_csrf/concern.rb
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,20 @@ def set_xsrf_token_cookie

config = Rails.application.config

same_site = same_site_from config
httponly = httponly_from config
secure = secure_from config
secure = option_from config, :angular_rails_csrf_secure
same_site = option_from config, :angular_rails_csrf_same_site, :lax

cookie_options = {
value: form_authenticity_token,
domain: domain_from(config),
domain: option_from(config, :angular_rails_csrf_domain),
same_site: same_site,
httponly: httponly,
httponly: option_from(config, :angular_rails_csrf_httponly, false),
secure: same_site.eql?(:none) || secure
}

cookie_name = cookie_name_from config
cookie_name = option_from(config,
:angular_rails_csrf_cookie_name,
'XSRF-TOKEN')
cookies[cookie_name] = cookie_options
end

Expand All @@ -35,24 +36,10 @@ def verified_request?

private

def same_site_from(config)
config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax
end

def httponly_from(config)
config.respond_to?(:angular_rails_csrf_httponly) ? config.angular_rails_csrf_httponly : false
end

def secure_from(config)
config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure)
end

def domain_from(config)
config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
end

def cookie_name_from(config)
config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
# Fetches the given option from config
# If the option is not set, return a default value
def option_from(config, option, default = nil)
config.respond_to?(option) ? config.send(option) : default
end

module ClassMethods
Expand Down
2 changes: 1 addition & 1 deletion lib/angular_rails_csrf/version.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# frozen_string_literal: true

module AngularRailsCsrf
VERSION = '4.4.0'
VERSION = '4.5.0'
end

0 comments on commit 88823a8

Please sign in to comment.