Improved header handling.
This commit is contained in:
parent
de15ce2cdf
commit
f106ad0ef0
2 changed files with 16 additions and 2 deletions
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
class SessionsController < ApplicationController
|
class SessionsController < ApplicationController
|
||||||
prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
|
prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
|
||||||
skip_before_action :verify_csrf_token, only: %i[create show destroy create_omniauth failure_omniauth create_sso]
|
skip_before_action :verify_csrf_token, only: %i[show destroy create_omniauth failure_omniauth create_sso]
|
||||||
|
|
||||||
# "Create" a login, aka "log the user in"
|
# "Create" a login, aka "log the user in"
|
||||||
def create
|
def create
|
||||||
|
|
|
@ -2,6 +2,17 @@ require 'rails_helper'
|
||||||
|
|
||||||
RSpec.describe 'Api Auth', type: :request do
|
RSpec.describe 'Api Auth', type: :request do
|
||||||
|
|
||||||
|
around(:each) do |example|
|
||||||
|
orig = ActionController::Base.allow_forgery_protection
|
||||||
|
|
||||||
|
begin
|
||||||
|
ActionController::Base.allow_forgery_protection = true
|
||||||
|
example.run
|
||||||
|
ensure
|
||||||
|
ActionController::Base.allow_forgery_protection = orig
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
let(:admin_user) do
|
let(:admin_user) do
|
||||||
create(:admin_user)
|
create(:admin_user)
|
||||||
end
|
end
|
||||||
|
@ -369,7 +380,10 @@ RSpec.describe 'Api Auth', type: :request do
|
||||||
it 'does session auth - admin' do
|
it 'does session auth - admin' do
|
||||||
create(:admin_user, login: 'api-admin@example.com', password: 'adminpw')
|
create(:admin_user, login: 'api-admin@example.com', password: 'adminpw')
|
||||||
|
|
||||||
post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
|
get '/'
|
||||||
|
token = response.headers['CSRF-TOKEN']
|
||||||
|
|
||||||
|
post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
|
||||||
expect(response.header.key?('Access-Control-Allow-Origin')).to be_falsey
|
expect(response.header.key?('Access-Control-Allow-Origin')).to be_falsey
|
||||||
expect(response).to have_http_status(201)
|
expect(response).to have_http_status(201)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue