Ensure CSRF protection runs before all other filters

tvdeyen · tvdeyen · commit cf0d606e8787 · 2019-04-24T10:49:54.000+02:00
Rails 5.2 does not prepend forgery protection before all other controller filters anymore. If you access the `current_user` method in an before filter (for instance because you want to store its id in an error tracking service context) you will see a "Can't verify CSRF token authenticity" error in your logs and the login fails. Fixed by prepending the CSRF forgery protection in our sessions controller. Closes #80
diff --git a/app/controllers/alchemy/user_sessions_controller.rb b/app/controllers/alchemy/user_sessions_controller.rb
@@ -2,6 +2,8 @@ module Alchemy
   class UserSessionsController < ::Devise::SessionsController
     include Alchemy::Admin::Locale
 
+    protect_from_forgery prepend: true
+
     before_action except: 'destroy' do
       enforce_ssl if ssl_required? && !request.ssl?
     end
diff --git a/spec/dummy/app/controllers/application_controller.rb b/spec/dummy/app/controllers/application_controller.rb
@@ -1,5 +1,4 @@
 class ApplicationController < ActionController::Base
-  # Prevent CSRF attacks by raising an exception.
-  # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :exception
+  # @See https://github.com/AlchemyCMS/alchemy-devise/issues/80
+  before_action { current_user }
 end
diff --git a/spec/dummy/config/environments/test.rb b/spec/dummy/config/environments/test.rb
@@ -26,10 +26,7 @@
   config.action_dispatch.show_exceptions = false
 
   # Disable request forgery protection in test environment.
-  config.action_controller.allow_forgery_protection = false
-
-  # Store uploaded files on the local file system in a temporary directory
-  # config.active_storage.service = :test
+  config.action_controller.allow_forgery_protection = true
 
   config.action_mailer.perform_caching = false
 
diff --git a/spec/features/login_feature_spec.rb b/spec/features/login_feature_spec.rb
@@ -1,7 +1,17 @@
 require 'spec_helper'
 
 describe "Login: " do
-  context "If users present" do
+  context "If user is present" do
+    let!(:user) do
+      Alchemy::User.create!(
+        login: 'admin',
+        email: 'admin@example.com',
+        password: 's3cr3t',
+        password_confirmation: 's3cr3t',
+        alchemy_roles: %w[admin]
+      )
+    end
+
     let!(:default_key) { Devise.authentication_keys }
 
     before do
@@ -13,6 +23,14 @@
         visit '/admin/login'
         expect(page).to have_field('user_login')
       end
+
+      it "works" do
+        visit '/admin/login'
+        fill_in 'user_login', with: user.login
+        fill_in 'user_password', with: user.password
+        click_button 'Login'
+        expect(page).to have_content('Welcome back admin')
+      end
     end
 
     context "with default Devise configuration" do
@@ -25,6 +43,14 @@
         expect(page).to have_field('user_email')
       end
 
+      it "works" do
+        visit '/admin/login'
+        fill_in 'user_email', with: user.email
+        fill_in 'user_password', with: user.password
+        click_button 'Login'
+        expect(page).to have_content('Welcome back admin')
+      end
+
       after do
         Devise.authentication_keys = default_key
       end
