mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Add :without_session
option to skip session based protection
This includes: * Rack::Protection::SessionHijacking * Rack::Protection::RemoteToken Closes #47
This commit is contained in:
parent
3286be8418
commit
46b1d85aee
2 changed files with 29 additions and 0 deletions
|
@ -23,6 +23,11 @@ module Rack
|
|||
# does not include: RemoteReferrer, AuthenticityToken and FormToken
|
||||
except = Array options[:except]
|
||||
use_these = Array options[:use]
|
||||
|
||||
if options.fetch(:without_session, false)
|
||||
except += [:session_hijacking, :remote_token]
|
||||
end
|
||||
|
||||
Rack::Builder.new do
|
||||
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
||||
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
||||
|
|
|
@ -100,4 +100,28 @@ describe Rack::Protection do
|
|||
it { expect(instrumenter).not_to receive(:instrument) }
|
||||
end
|
||||
end
|
||||
|
||||
describe "new" do
|
||||
it 'should allow disable session protection' do
|
||||
mock_app do
|
||||
use Rack::Protection, :without_session => true
|
||||
run DummyApp
|
||||
end
|
||||
|
||||
session = {:foo => :bar}
|
||||
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
|
||||
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
|
||||
expect(session[:foo]).to eq :bar
|
||||
end
|
||||
|
||||
it 'should allow disable CSRF protection' do
|
||||
mock_app do
|
||||
use Rack::Protection, :without_session => true
|
||||
run DummyApp
|
||||
end
|
||||
|
||||
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
||||
expect(last_response).to be_ok
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue