diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ecc3fd..ab19a09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 4.5.0 (21-Sep-20) + +* Added a new [`HttpOnly` option](https://github.com/jsanders/angular_rails_csrf#httponly-cookie) (thanks, [@Lubo-mir](https://github.com/Lubo-mir)) +* Introduced some code refactorings + ## 4.4.0 (04-Aug-20) * Make the gem play nicely with controllers that do not have `protect_against_forgery?` method defined — for example, certain Doorkeeper controllers (thanks, [@amenz](https://github.com/amenz)) diff --git a/README.md b/README.md index 22bfee0..14c3e17 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ Please note that [Safari is known to have issues](https://bugs.webkit.org/show_b ### HttpOnly Cookie -To set a "httponly" flag for the cookie, set the `angular_rails_csrf_httponly` option to `true`: +To set the ["httponly" flag](https://owasp.org/www-community/HttpOnly) for your cookie, set the `angular_rails_csrf_httponly` option to `true`: ```ruby # application.rb diff --git a/angular_rails_csrf.gemspec b/angular_rails_csrf.gemspec index 585dc54..ac07d03 100644 --- a/angular_rails_csrf.gemspec +++ b/angular_rails_csrf.gemspec @@ -24,7 +24,7 @@ Gem::Specification.new do |s| s.add_development_dependency 'rake', '~> 13.0' s.add_development_dependency 'test-unit', '~> 3.2' if ENV['TEST_RAILS_VERSION'].nil? - s.add_development_dependency 'rails', '6.0.3.2' + s.add_development_dependency 'rails', '6.0.3.3' else s.add_development_dependency 'rails', ENV['TEST_RAILS_VERSION'].to_s end diff --git a/lib/angular_rails_csrf/concern.rb b/lib/angular_rails_csrf/concern.rb index 6c1dd76..1138766 100644 --- a/lib/angular_rails_csrf/concern.rb +++ b/lib/angular_rails_csrf/concern.rb @@ -13,19 +13,20 @@ def set_xsrf_token_cookie config = Rails.application.config - same_site = same_site_from config - httponly = httponly_from config - secure = secure_from config + secure = option_from config, :angular_rails_csrf_secure + same_site = option_from config, :angular_rails_csrf_same_site, :lax cookie_options = { value: form_authenticity_token, - domain: domain_from(config), + domain: option_from(config, :angular_rails_csrf_domain), same_site: same_site, - httponly: httponly, + httponly: option_from(config, :angular_rails_csrf_httponly, false), secure: same_site.eql?(:none) || secure } - cookie_name = cookie_name_from config + cookie_name = option_from(config, + :angular_rails_csrf_cookie_name, + 'XSRF-TOKEN') cookies[cookie_name] = cookie_options end @@ -35,24 +36,10 @@ def verified_request? private - def same_site_from(config) - config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax - end - - def httponly_from(config) - config.respond_to?(:angular_rails_csrf_httponly) ? config.angular_rails_csrf_httponly : false - end - - def secure_from(config) - config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure) - end - - def domain_from(config) - config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil - end - - def cookie_name_from(config) - config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN' + # Fetches the given option from config + # If the option is not set, return a default value + def option_from(config, option, default = nil) + config.respond_to?(option) ? config.send(option) : default end module ClassMethods diff --git a/lib/angular_rails_csrf/version.rb b/lib/angular_rails_csrf/version.rb index d150c0e..8d77a95 100644 --- a/lib/angular_rails_csrf/version.rb +++ b/lib/angular_rails_csrf/version.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true module AngularRailsCsrf - VERSION = '4.4.0' + VERSION = '4.5.0' end