When designing a REST API for one of my resources, I am getting a warning message like this:
> WARNING: Can't verify CSRF token authenticity
in the logs. This should NOT be happening, as I am accessing my resource using a JSON API through a POST request. The following rails file:
rails/actionpack/lib/action_controller/metal/request_forgery_protection.rb
clearly states
"Only HTML and JavaScript requests are checked, so this will not protect your XML API (presuably you'll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be idempotent."
In addition to this message in the logs, the rails code also "resets" my non-existant session. Doing a little digging shows a problem in this function:
Where there is no check on the content type. By the way, you can easily set the content type of your request in a CURL request like this:
> WARNING: Can't verify CSRF token authenticity
in the logs. This should NOT be happening, as I am accessing my resource using a JSON API through a POST request. The following rails file:
rails/actionpack/lib/action_controller/metal/request_forgery_protection.rb
clearly states
"Only HTML and JavaScript requests are checked, so this will not protect your XML API (presuably you'll have a different authentication scheme there anyway). Also, GET requests are not protected as these should be idempotent."
In addition to this message in the logs, the rails code also "resets" my non-existant session. Doing a little digging shows a problem in this function:
Where there is no check on the content type. By the way, you can easily set the content type of your request in a CURL request like this:
> curl -H "Content-Type: application/json" -d '{"email":abc@xyz.com", "password":"xyzc123"}' http://localhost:3000/sessions.json -i
Comparing the same code to Rails 3.0:
I see the additional check "request.forgery_whitelisted" which ends up checking for "JSON" and "XML" content types and returns true. I plan to submit a bug and in the mean time, you can work around by overridingdef verified_request?!protect_against_forgery? || request.forgery_whitelisted? ||form_authenticity_token == params[request_forgery_protection_token]end
in your controller or application controller. Good luck!
Doesn't this open your API up to CSRF attacks for application/json requests?
ReplyDeleteCasino Finder - JamBase
ReplyDeleteFind the best Casino Finder for you! Find 제주도 출장샵 over 충주 출장마사지 200+ casinos, 구미 출장마사지 games, coupons & more powered by JT Gaming 삼척 출장마사지 here at JamBase. 영주 출장마사지 Make your casino trip
The Best Casinos in USA - APRCasino
ReplyDeleteIt is one sol.edu.kg of the most well-known casino aprcasino casinos, and it is owned and operated by septcasino.com the Rincon Band of Luiseno Indians. ventureberg.com/ There are over 100 different
I enjoyed reading tthis
ReplyDelete