Remove support for CSRF tokens #187
Comments
|
I'm really not sure. Looks like we might need something like OAuth - APIs are still vulnerable. API and UI could use different auth mechanisms. This is not ideal, since then the UI can't use the API for a single page app. Easiest is to rely on CORS for API and CSRF token for UI. Still potential for CSRF in API. Hardest, but most secure is OAuth for API, where key can be used by UI. Resources:
|
|
The other option is to include the CSRF tokens. Support is already there, just no way to get a token from server at the moment, and not sure of semantics of reusing the token multiple times in concurrent AJAX requests. |
|
This seems to give the answer: http://stackoverflow.com/questions/7600347/rails-api-design-without-disabling-csrf-protection In responses to authenticated API requests, include the CSRF token. This is partially implemented in https://github.com/QutBioacoustics/baw-server/blob/develop/app/controllers/application_controller.rb#L85 Next Steps Server side:
Client Side:
|
|
After much debugging and pain, we've decided that an auth token (as opposed to using cookies + xsrf tokens is ideal). For now, in development mode, only auth tokens will be used. When deployed to staging / production, angular's is built XSRF token parsing (from cookies) will kick in and also in work in addition to the auth token. |
There is legacy support in the angular app for sending CSRF tokens back to the rails API.
However it seems that CORS support in rails/browsers means we don't need to worry about CSRF tokens anymore.
@cofiem can you confirm the above is accurate?
The text was updated successfully, but these errors were encountered: