Comments (9)
Are you using sessions?
from cuba.
yes, i've got
Cuba.use Rack::Session::Cookie, :secret => "_this_must_be_secret"
Cuba.plugin Cuba::Safe
Cuba.plugin Cuba::Render
in app.rb
from cuba.
I don't know if I'm replicating your use case correctly. This is what I tried: I created a form where I insert the csrf.form_tag
and I submit a POST
request to /idea
. Then I render a template that tells me whether or not the request was safe, and it works. I can share the code if you prefer, but as I'm guessing I'm not reproducing exactly what you are doing, maybe you want to paste more code to show me why it fails?
from cuba.
I am sending the csrf token with json, so the client gets it with a request to /idea GET, and then it posts some data with the token, that he got.
from cuba.
Can you show me how you post the token?
from cuba.
I tried sending it in the test like that post "idea", "csrf_token" => csrf_token
Also I tried sending it with the header, (this did not work).
And now I decided just to write a js client, to see if the session works.
So I did it. And if I send the token using js inside a json and then compare it with session[:csrf_token] - they are equal, but still, if I send it inside header - I get that csrf.safe? is false
from cuba.
Hey @Bezbo, do you have some code to reproduce this? It's fine if you don't, I have some time and I can take a look at it later.
from cuba.
@Bezbo You're not by any chance hitting the POST endpoint without the right Content-type
header (eg. application/x-www-form-urlencoded
) to trigger parameter parsing, are you? I ask because I was just bitten by this experimenting with the bare metal fetch
API.
from cuba.
Closing this issue for now because it's working for me. If you run into this issue, please let me know so we can investigate further.
from cuba.
Related Issues (20)
- rack 3.0 support HOT 5
- Missing rack session in v4 HOT 2
- Support passing keyword arguments to middlewares HOT 3
- Cuba::Render layouts not working HOT 2
- is there any api for logger HOT 1
- 404 default Content-Type not set HOT 5
- Strict-Transport-Security header in Cuba::Safe::SecureHeaders is dangerously strict! HOT 8
- Allow Param defaults to be an empty string? HOT 2
- Not all HTTP methods are supported HOT 2
- [Suggestion] Adds support for beerpay.io HOT 1
- Rack 2.0 support? HOT 1
- Reference in Readme to Cuba::TextHelpers HOT 4
- Serving static files using Rack::Static not working HOT 3
- Allow multi mount routes on define HOT 2
- Improve performance by caching regexes? HOT 3
- Optional query parameters HOT 6
- Custom res.staus stops rendering on chrome. HOT 5
- undefined method `DelegateClass' for Rack::Session::Cookie:Class (NoMethodError) HOT 3
- wrong number of arguments (given 0, expected 1..2) when upload file HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cuba.