Having issues with cuba safe about cuba HOT 9 CLOSED

Are you using sessions?

from cuba.

yes, i've got

Cuba.use Rack::Session::Cookie, :secret => "_this_must_be_secret"
Cuba.plugin Cuba::Safe
Cuba.plugin Cuba::Render

in app.rb

from cuba.

I don't know if I'm replicating your use case correctly. This is what I tried: I created a form where I insert the csrf.form_tag and I submit a POST request to /idea. Then I render a template that tells me whether or not the request was safe, and it works. I can share the code if you prefer, but as I'm guessing I'm not reproducing exactly what you are doing, maybe you want to paste more code to show me why it fails?

from cuba.

I am sending the csrf token with json, so the client gets it with a request to /idea GET, and then it posts some data with the token, that he got.

from cuba.

Can you show me how you post the token?

from cuba.

I tried sending it in the test like that post "idea", "csrf_token" => csrf_token
Also I tried sending it with the header, (this did not work).
And now I decided just to write a js client, to see if the session works.
So I did it. And if I send the token using js inside a json and then compare it with session[:csrf_token] - they are equal, but still, if I send it inside header - I get that csrf.safe? is false

from cuba.

Hey @Bezbo, do you have some code to reproduce this? It's fine if you don't, I have some time and I can take a look at it later.

from cuba.

@Bezbo You're not by any chance hitting the POST endpoint without the right Content-type header (eg. application/x-www-form-urlencoded) to trigger parameter parsing, are you? I ask because I was just bitten by this experimenting with the bare metal fetch API.

from cuba.

Closing this issue for now because it's working for me. If you run into this issue, please let me know so we can investigate further.

from cuba.