Make Devise::FailureApp commit the CSRF token on Rails 7.1+.#5851
Open
augustocbx wants to merge 1 commit into
Open
Make Devise::FailureApp commit the CSRF token on Rails 7.1+.#5851augustocbx wants to merge 1 commit into
augustocbx wants to merge 1 commit into
Conversation
augustocbx
force-pushed
the
fix-failure-app-csrf-token-storage
branch
from
ed9d010 to
79ce74e
Compare
augustocbx
force-pushed
the
fix-failure-app-csrf-token-storage
branch
from
79ce74e to
dc25c69
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rails 7.1 changed CSRF token storage (rails/rails#44283) so the deferred token is committed to the session at the end of the request through the controller instance, which must respond to
commit_csrf_token.Devise::FailureAppextendsActionController::Metal(notActionController::Base) and becomes that controller instance when:wardenis thrown, so on an authentication failure the deferred CSRF token — and the session itself — were silently dropped (no session cookie returned).This includes
ActionController::RequestForgeryProtectioninDevise::FailureAppso it providescommit_csrf_token, restoring CSRF token and session persistence on auth failure. OnlyFailureAppneeds this, since real controllers already get it fromActionController::Base.Fixes #5698.