search

soveran / cuba

Rum based microframework for web development.
http://cuba.is
MIT License
1.44k stars 249 forks source link

Having issues with cuba safe #80

Closed Bezbo closed 7 years ago

Bezbo commented 8 years ago

The app is:

on "idea" do
  on get do
    token = csrf.token
    res.write({csrf: token}.to_json)
  end

  on post do
    p csrf.safe?
  end
end

In the tests:

test "ideas works" do
  csrf_token = JSON.parse(get("idea").body)["csrf"]
  post "idea", "csrf_token" => csrf_token
end

And i get false in the console I inspected the session and every time it has different contents So It does not get stored between requests. What am I doing wrong here?

soveran commented 8 years ago

Are you using sessions?

Bezbo commented 8 years ago

yes, i've got 

Cuba.use Rack::Session::Cookie, :secret => "_this_must_be_secret"
Cuba.plugin Cuba::Safe
Cuba.plugin Cuba::Render

in app.rb

soveran commented 8 years ago

I don't know if I'm replicating your use case correctly. This is what I tried: I created a form where I insert the csrf.form_tag and I submit a POST request to /idea. Then I render a template that tells me whether or not the request was safe, and it works. I can share the code if you prefer, but as I'm guessing I'm not reproducing exactly what you are doing, maybe you want to paste more code to show me why it fails?

Bezbo commented 8 years ago

I am sending the csrf token with json, so the client gets it with a request to /idea GET, and then it posts some data with the token, that he got.

soveran commented 8 years ago

Can you show me how you post the token?

Bezbo commented 8 years ago

I tried sending it in the test like that post "idea", "csrf_token" => csrf_token Also I tried sending it with the header, (this did not work). And now I decided just to write a js client, to see if the session works. So I did it. And if I send the token using js inside a json and then compare it with session[:csrf_token] - they are equal, but still, if I send it inside header - I get that csrf.safe? is false

soveran commented 7 years ago

Hey @Bezbo, do you have some code to reproduce this? It's fine if you don't, I have some time and I can take a look at it later.

slowernet commented 7 years ago

@Bezbo You're not by any chance hitting the POST endpoint without the right Content-type header (eg. application/x-www-form-urlencoded) to trigger parameter parsing, are you? I ask because I was just bitten by this experimenting with the bare metal fetch API.

soveran commented 7 years ago

Closing this issue for now because it's working for me. If you run into this issue, please let me know so we can investigate further.