Add :without_session option to skip session based protection

This includes: * Rack::Protection::SessionHijacking * Rack::Protection::RemoteToken Closes #47
2023-03-27 23:18:01 -04:00 · 2016-07-26 17:37:38 +09:00 · 2016-07-26 17:37:38 +09:00 · 46b1d85aee
commit 46b1d85aee
parent 3286be8418
2 changed files with 29 additions and 0 deletions
--- a/rack-protection/lib/rack/protection.rb
+++ b/rack-protection/lib/rack/protection.rb
@ -23,6 +23,11 @@ module Rack
      # does not include: RemoteReferrer, AuthenticityToken and FormToken
      except = Array options[:except]
      use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += [:session_hijacking, :remote_token]
+      end
+
      Rack::Builder.new do
        use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
        use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
--- a/rack-protection/spec/lib/rack/protection/protection_spec.rb
+++ b/rack-protection/spec/lib/rack/protection/protection_spec.rb
@ -100,4 +100,28 @@ describe Rack::Protection do
      it { expect(instrumenter).not_to receive(:instrument) }
    end
  end
+
+  describe "new" do
+    it 'should allow disable session protection' do
+      mock_app do
+        use Rack::Protection, :without_session => true
+        run DummyApp
+      end
+
+      session = {:foo => :bar}
+      get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
+      get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
+      expect(session[:foo]).to eq :bar
+    end
+
+    it 'should allow disable CSRF protection' do
+      mock_app do
+        use Rack::Protection, :without_session => true
+        run DummyApp
+      end
+
+      post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+      expect(last_response).to be_ok
+    end
+  end
 end