Limit formats allowed to make requests

[andrewferk]

All endpoints seem to support url parameters, x-www-form-urlencoded, json, and headers. Would it be better security to limit the formats allowed for the requests? If so, is there an easy way to do that now?

class AuthenticationTest < ActionDispatch::IntegrationTest

  setup do
    @user = create(:user)
    @sign_in_url = '/auth/sign_in'
  end

  describe 'sign in' do
    test 'with email and password x-www-form-urlencoded' do
      post @sign_in_url, params: {email: @user.email, password: @user.password}
      assert_equal 200, status
    end

    test 'with email and password headers' do
      post @sign_in_url, headers: {email: @user.email, password: @user.password}
      assert_equal 200, status
    end

    test 'with email and password url params' do
      post "#{@sign_in_url}?email=#{@user.email}&password=#{@user.password}"
      assert_equal 200, status
    end

    test 'with email and password json' do
      post @sign_in_url, as: :json, params: {email: @user.email, password: @user.password}
      assert_equal 200, status
    end
  end
end

Thanks!

[zachfeldman]

Hi there @andrewferk ,

In an effort to cleanup this project and prioritize a bit, we're marking issues that haven't had any activity in a while with a "close-in-7-days" label. If we don't hear from you in about a week, we'll be closing this issue. Obviously feel free to re-open it at any time if it's the right time or this was done in error!

If you are still having the issue (especially if it's a bug report) please refer to our new Issue Template to provide some more details to help us solve it.

Hope all is well.