protect_from_forgery exceptions in auto_session_timeout method raises error with `raise_on_missing_callback_actions = true`

gfmurphy commented 8 months ago

Steps to reproduce

Create rails 7.1.x app
Ensure config.raise_on_missing_callback_actions = true set
Add auto_session_timeout to controller
Load a page

Expected results Page loads

Actual results Unknown action returned (404 status)

Notes

protect_from_forgery with except clause is root cause

Question Since active and timeout are documented to require get method, can we remove the protect_from_forgery call altogether? Is it required for get? This would allow us to run application with raise_on_missing_callback_actions = true

pelargir commented 7 months ago

That's correct, protect_from_forgery is not required for GET requests. I'd be happy to merge a PR if you create one.

pelargir commented 5 months ago

Resolved by https://github.com/pelargir/auto-session-timeout/pull/47

pelargir / auto-session-timeout

protect_from_forgery exceptions in auto_session_timeout method raises error with `raise_on_missing_callback_actions = true` #46