Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove form_authenticity_token method #371

Merged
merged 3 commits into from
Apr 19, 2024
Merged

Remove form_authenticity_token method #371

merged 3 commits into from
Apr 19, 2024

Conversation

willnet
Copy link
Member

@willnet willnet commented Apr 10, 2024

Fix #330

As detailed in the URL below, the call to form_authenticity_token wasn't useful and was causing issues like #330, so remove it.

ref:

@willnet
Remove form_authenticity_token method
54776c3 
Fix Sorcery#330

As detailed in the URL below, the call to `form_authenticity_token` wasn't useful and was causing issues like Sorcery#330, so remove it.

ref:
- Sorcery#357 (comment)
- Sorcery#357 (comment)
@willnet
Update CHANGELOG with removal of form_authenticity_token method
22cb9f1
@Spone
Copy link
Contributor

Spone commented Apr 10, 2024
edited
Loading

Why wasn't is useful? Can you elaborate?

What about including the module as described in #330 (comment)?

@joshbuker
Copy link
Member

@Spone to invert the question, what is the purpose of calling form_authenticity_token? That's something I don't fully understand yet personally, and from what @willnet is suggesting, it's actually not doing anything useful.

My assumption would be that it's to generate the csrf token in a scenario where rails wouldn't already do so, but that seems like it might be a legacy issue that is no longer relevant.

@Spone
Copy link
Contributor

Spone commented Apr 15, 2024

Apparently it was added in 8a7490c in order to add _csrf_token to the session.

I agree that if the behavior is not fully understood, and that removing the line does not break any test, and furthermore helps solve a current issue, we should do it.

Spone
Spone previously approved these changes Apr 15, 2024
View reviewed changes
@willnet
Copy link
Member Author

willnet commented Apr 17, 2024

As I mentioned here, I don't have enough information from this PR to be certain, but I believe form_authenticity_token was added in an attempt to solve this issue. My guess is that it was meant to maintain session[:_csrf_token] even after reset_session is executed. However, in reality, session[:_csrf_token] does not remain but is updated, so if my guess is correct, this method call becomes particularly meaningless.

@willnet
Copy link
Member Author

willnet commented Apr 17, 2024

I have resolved the conflict in CHANGELOG.md

@joshbuker joshbuker merged commit 0b3e831 into Sorcery:master Apr 19, 2024
10 checks passed
@willnet willnet deleted the remove-form_authenticity_token branch April 19, 2024 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshbuker joshbuker joshbuker approved these changes

@Spone Spone Spone approved these changes

@jonmchan jonmchan Awaiting requested review from jonmchan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Using sorcery in an API-only rails app does not work
3 participants
@willnet @Spone @joshbuker