API: disable rails session auth for non-GET/HEAD requests

2016-09-22 13:56:43 +01:00 · 2016-09-22 13:56:43 +01:00 · fd51f19c97
parent 294482f383
commit fd51f19c97
2 changed files with 37 additions and 7 deletions
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -21,8 +21,11 @@ module API
    end

    # Check the Rails session for valid authentication details
+    #
+    # Until CSRF protection is added to the API, disallow this method for
+    # state-changing endpoints
    def find_user_from_warden
-      warden ? warden.authenticate : nil
+      warden.try(:authenticate) if request.get? || request.head?
    end

    def find_user_by_private_token
--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@ -10,7 +10,8 @@ describe API::Helpers, api: true do
  let(:key) { create(:key, user: user) }

  let(:params) { {} }
-  let(:env) { {} }
+  let(:env) { { 'REQUEST_METHOD' => 'GET' } }
+  let(:request) { Rack::Request.new(env) }

  def set_env(token_usr, identifier)
    clear_env
@ -52,17 +53,43 @@ describe API::Helpers, api: true do
  describe ".current_user" do
    subject { current_user }

-    describe "when authenticating via Warden" do
+    describe "Warden authentication" do
      before { doorkeeper_guard_returns false }

-      context "fails" do
-        it { is_expected.to be_nil }
+      context "with invalid credentials" do
+        context "GET request" do
+          before { env['REQUEST_METHOD'] = 'GET' }
+          it { is_expected.to be_nil }
+        end
      end

-      context "succeeds" do
+      context "with valid credentials" do
        before { warden_authenticate_returns user }

-        it { is_expected.to eq(user) }
+        context "GET request" do
+          before { env['REQUEST_METHOD'] = 'GET' }
+          it { is_expected.to eq(user) }
+        end
+
+        context "HEAD request" do
+          before { env['REQUEST_METHOD'] = 'HEAD' }
+          it { is_expected.to eq(user) }
+        end
+
+        context "PUT request" do
+          before { env['REQUEST_METHOD'] = 'PUT' }
+          it { is_expected.to be_nil }
+        end
+
+        context "POST request" do
+          before { env['REQUEST_METHOD'] = 'POST' }
+          it { is_expected.to be_nil }
+        end
+
+        context "DELETE request" do
+          before { env['REQUEST_METHOD'] = 'DELETE' }
+          it { is_expected.to be_nil }
+        end
      end
    end