From 46b1d85aee1461dff5d9893e61553020729bbf92 Mon Sep 17 00:00:00 2001
From: Zachary Scott <mail@zzak.io>
Date: Tue, 26 Jul 2016 17:37:38 +0900
Subject: [PATCH] Add `:without_session` option to skip session based
 protection

This includes:

* Rack::Protection::SessionHijacking
* Rack::Protection::RemoteToken

Closes #47
---
 rack-protection/lib/rack/protection.rb        |  5 ++++
 .../lib/rack/protection/protection_spec.rb    | 24 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/rack-protection/lib/rack/protection.rb b/rack-protection/lib/rack/protection.rb
index 23424a0a..b7586219 100644
--- a/rack-protection/lib/rack/protection.rb
+++ b/rack-protection/lib/rack/protection.rb
@@ -23,6 +23,11 @@ module Rack
       # does not include: RemoteReferrer, AuthenticityToken and FormToken
       except = Array options[:except]
       use_these = Array options[:use]
+
+      if options.fetch(:without_session, false)
+        except += [:session_hijacking, :remote_token]
+      end
+
       Rack::Builder.new do
         use ::Rack::Protection::RemoteReferrer,        options if use_these.include? :remote_referrer
         use ::Rack::Protection::AuthenticityToken,     options if use_these.include? :authenticity_token
diff --git a/rack-protection/spec/lib/rack/protection/protection_spec.rb b/rack-protection/spec/lib/rack/protection/protection_spec.rb
index 35bd0ca1..a9afda22 100644
--- a/rack-protection/spec/lib/rack/protection/protection_spec.rb
+++ b/rack-protection/spec/lib/rack/protection/protection_spec.rb
@@ -100,4 +100,28 @@ describe Rack::Protection do
       it { expect(instrumenter).not_to receive(:instrument) }
     end
   end
+
+  describe "new" do
+    it 'should allow disable session protection' do
+      mock_app do
+        use Rack::Protection, :without_session => true
+        run DummyApp
+      end
+
+      session = {:foo => :bar}
+      get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
+      get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
+      expect(session[:foo]).to eq :bar
+    end
+
+    it 'should allow disable CSRF protection' do
+      mock_app do
+        use Rack::Protection, :without_session => true
+        run DummyApp
+      end
+
+      post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
+      expect(last_response).to be_ok
+    end
+  end
 end