From f106ad0ef0afc35c90be1793b5c0789f35e80dab Mon Sep 17 00:00:00 2001 From: Thorsten Eckel Date: Mon, 21 Jan 2019 11:36:41 +0100 Subject: [PATCH] Improved header handling. --- app/controllers/sessions_controller.rb | 2 +- spec/requests/api_auth_spec.rb | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 4e4be2efb..ee2944184 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -2,7 +2,7 @@ class SessionsController < ApplicationController prepend_before_action :authentication_check, only: %i[switch_to_user list delete] - skip_before_action :verify_csrf_token, only: %i[create show destroy create_omniauth failure_omniauth create_sso] + skip_before_action :verify_csrf_token, only: %i[show destroy create_omniauth failure_omniauth create_sso] # "Create" a login, aka "log the user in" def create diff --git a/spec/requests/api_auth_spec.rb b/spec/requests/api_auth_spec.rb index df8de3414..eabf60cef 100644 --- a/spec/requests/api_auth_spec.rb +++ b/spec/requests/api_auth_spec.rb @@ -2,6 +2,17 @@ require 'rails_helper' RSpec.describe 'Api Auth', type: :request do + around(:each) do |example| + orig = ActionController::Base.allow_forgery_protection + + begin + ActionController::Base.allow_forgery_protection = true + example.run + ensure + ActionController::Base.allow_forgery_protection = orig + end + end + let(:admin_user) do create(:admin_user) end @@ -369,7 +380,10 @@ RSpec.describe 'Api Auth', type: :request do it 'does session auth - admin' do create(:admin_user, login: 'api-admin@example.com', password: 'adminpw') - post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' } + get '/' + token = response.headers['CSRF-TOKEN'] + + post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token } expect(response.header.key?('Access-Control-Allow-Origin')).to be_falsey expect(response).to have_http_status(201)