Skip storage for cookies on unverified requests

2022-11-09 12:18:31 -05:00 · 2013-08-05 10:24:11 +02:00 · 2013-08-05 10:24:11 +02:00 · f5a77ac598
commit f5a77ac598
parent 591f4a97f7
6 changed files with 28 additions and 18 deletions
--- a/lib/devise/controllers/rememberable.rb
+++ b/lib/devise/controllers/rememberable.rb
@ -21,6 +21,7 @@ module Devise

      # Remembers the given resource by setting up a cookie
      def remember_me(resource)
+        return if env["devise.skip_storage"]
        scope = Devise::Mapping.find_scope!(resource)
        resource.remember_me!(resource.extend_remember_period)
        cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)
--- a/lib/devise/rails/warden_compat.rb
+++ b/lib/devise/rails/warden_compat.rb
@ -3,9 +3,16 @@ module Warden::Mixins::Common
    @request ||= ActionDispatch::Request.new(env)
  end

-  # This is called internally by Warden on logout
+  NULL_STORE =
+    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
+      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
+
  def reset_session!
-    request.reset_session
+    # Calling reset_session on NULL_STORE causes it fail.
+    # This is a bug that needs to be fixed in Rails.
+    unless NULL_STORE && request.session.is_a?(NULL_STORE)
+      request.reset_session
+    end
  end

  def cookies
--- a/test/controllers/helpers_test.rb
+++ b/test/controllers/helpers_test.rb
@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase

  test 'sign in and redirect uses the stored location' do
    user = User.new
-    @controller.session[:"user_return_to"] = "/foo.bar"
+    @controller.session[:user_return_to] = "/foo.bar"
    @mock_warden.expects(:user).with(:user).returns(nil)
    @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
    @controller.expects(:redirect_to).with("/foo.bar")
--- a/test/integration/authenticatable_test.rb
+++ b/test/integration/authenticatable_test.rb
@ -433,7 +433,7 @@ end

 class AuthenticationOthersTest < ActionDispatch::IntegrationTest
  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
      post exhibit_user_url(1)
      assert_not warden.authenticated?(:user)

--- a/test/integration/http_authenticatable_test.rb
+++ b/test/integration/http_authenticatable_test.rb
@ -2,7 +2,7 @@ require 'test_helper'

 class HttpAuthenticationTest < ActionDispatch::IntegrationTest
  test 'handles unverified requests gets rid of caches but continues signed in' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
      create_user
      post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
      assert warden.authenticated?(:user)
--- a/test/integration/rememberable_test.rb
+++ b/test/integration/rememberable_test.rb
@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    assert_nil request.cookies["remember_user_cookie"]
  end

-  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+  test 'handle unverified requests gets rid of caches' do
+    swap ApplicationController, :allow_forgery_protection => true do
      post exhibit_user_url(1)
      assert_not warden.authenticated?(:user)

@ -42,9 +42,21 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    end
  end

+  test 'handle unverified requests does not create cookies on sign in' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      get new_user_session_path
+      assert request.session[:_csrf_token]
+
+      post user_session_path, :authenticity_token => "oops", :user =>
+           { email: "jose.valim@gmail.com", password: "123456", :remember_me => "1" }
+      assert_not warden.authenticated?(:user)
+      assert_not request.cookies['remember_user_token']
+    end
+  end
+
  test 'generate remember token after sign in' do
    sign_in_as_user :remember_me => true
-    assert request.cookies["remember_user_token"]
+    assert request.cookies['remember_user_token']
  end

  test 'generate remember token after sign in setting cookie options' do
@ -90,16 +102,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
    assert_redirected_to root_path
  end

-  test 'cookies are destroyed on unverified requests' do
-    swap ApplicationController, :allow_forgery_protection => true do
-      create_user_and_remember
-      get users_path
-      assert warden.authenticated?(:user)
-      post root_path, :authenticity_token => 'INVALID'
-      assert_not warden.authenticated?(:user)
-    end
-  end
-
  test 'does not extend remember period through sign in' do
    swap Devise, :extend_remember_period => true, :remember_for => 1.year do
      user = create_user