solaris007 / angular_rails_csrf Goto Github PK

The AngularJS ng.$http service has built-in CSRF protection. By default, it looks for a cookie named XSRF-TOKEN and, if found, writes its value into an X-XSRF-TOKEN header, which the server compares with the CSRF token saved in the user's session.

This project adds direct support for this scheme to your Rails application without requiring any changes to your AngularJS application. It also doesn't require the use of csrf_meta_tags to write a CSRF token into your page markup, so it works for pure JSON API applications.

Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.

Version 3 supports only Rails 4+ and Ruby 2.3+. If you are still on Rails 3 (2, 1?!), you have to utilize version 2.1.1!

Add this line to your application's Gemfile:

gem 'angular_rails_csrf'

And then execute:

$ bundle

That's it!

The default cookie's name is XSRF-TOKEN but it can be configured with the angular_rails_csrf_cookie_name setting:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_cookie_name = 'CUSTOM_NAME'
end

Starting from version 3, you may set domain for the XSRF cookie:

# application.rb
class Application < Rails::Application
  #...
  config.angular_rails_csrf_domain = :all
end

If angular_rails_csrf_domain is not set, it defaults to nil.

Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed here):

class ExclusionsController < ApplicationController
  exclude_xsrf_token_cookie
  
  # your actions here...
end

Run

$ bundle install

and then

$ rake test

Licensed under the MIT License.