Disable storage on CSRF
This commit is contained in:
parent
4bc2ff997a
commit
66716023e4
|
@ -255,6 +255,7 @@ module Devise
|
|||
def handle_unverified_request
|
||||
sign_out_all_scopes
|
||||
warden.clear_strategies_cache!
|
||||
request.env["devise.skip_storage"] = true
|
||||
expire_devise_cached_variables!
|
||||
super # call the default behaviour which resets the session
|
||||
end
|
||||
|
|
|
@ -9,7 +9,7 @@ module Devise
|
|||
attr_accessor :authentication_hash, :authentication_type, :password
|
||||
|
||||
def store?
|
||||
!mapping.to.skip_session_storage.include?(authentication_type)
|
||||
super && !mapping.to.skip_session_storage.include?(authentication_type)
|
||||
end
|
||||
|
||||
def valid?
|
||||
|
|
|
@ -2,6 +2,11 @@ module Devise
|
|||
module Strategies
|
||||
# Base strategy for Devise. Responsible for verifying correct scope and mapping.
|
||||
class Base < ::Warden::Strategies::Base
|
||||
# Whenever CSRF cannot be verified, we turn off any kind of storage
|
||||
def store?
|
||||
!env["devise.skip_storage"]
|
||||
end
|
||||
|
||||
# Checks if a valid scope was given for devise and find mapping based on this scope.
|
||||
def mapping
|
||||
@mapping ||= begin
|
||||
|
|
Loading…
Reference in New Issue