Closed Bezbo closed 7 years ago
Are you using sessions?
yes, i've got
Cuba.use Rack::Session::Cookie, :secret => "_this_must_be_secret"
Cuba.plugin Cuba::Safe
Cuba.plugin Cuba::Render
in app.rb
I don't know if I'm replicating your use case correctly. This is what I tried: I created a form where I insert the csrf.form_tag
and I submit a POST
request to /idea
. Then I render a template that tells me whether or not the request was safe, and it works. I can share the code if you prefer, but as I'm guessing I'm not reproducing exactly what you are doing, maybe you want to paste more code to show me why it fails?
I am sending the csrf token with json, so the client gets it with a request to /idea GET, and then it posts some data with the token, that he got.
Can you show me how you post the token?
I tried sending it in the test like that post "idea", "csrf_token" => csrf_token
Also I tried sending it with the header, (this did not work).
And now I decided just to write a js client, to see if the session works.
So I did it. And if I send the token using js inside a json and then compare it with session[:csrf_token] - they are equal, but still, if I send it inside header - I get that csrf.safe? is false
Hey @Bezbo, do you have some code to reproduce this? It's fine if you don't, I have some time and I can take a look at it later.
@Bezbo You're not by any chance hitting the POST endpoint without the right Content-type
header (eg. application/x-www-form-urlencoded
) to trigger parameter parsing, are you? I ask because I was just bitten by this experimenting with the bare metal fetch
API.
Closing this issue for now because it's working for me. If you run into this issue, please let me know so we can investigate further.
The app is:
In the tests:
And i get false in the console I inspected the session and every time it has different contents So It does not get stored between requests. What am I doing wrong here?