Merge pull request rails#54434 from ryenski/ryenski/fix-nomethod-error-in-non-string-csrf-token

byroot · web-flow · commit d4d07bc76f4e · 2025-02-05T10:41:32.000+01:00
Fix NoMethodError when a non-string CSRF token is passed through header
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -507,7 +507,7 @@ def masked_authenticity_token(form_options: {})
       # Checks the client's masked token to see if it matches the session token.
       # Essentially the inverse of `masked_authenticity_token`.
       def valid_authenticity_token?(session, encoded_masked_token) # :doc:
-        if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
+        if !encoded_masked_token.is_a?(String) || encoded_masked_token.empty?
           return false
         end
 
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -675,7 +675,7 @@ def test_csrf_token_is_not_saved_if_it_is_nil
 
   def test_should_not_raise_error_if_token_is_not_a_string
     assert_blocked do
-      patch :index, params: { custom_authenticity_token: { foo: "bar" } }
+      patch :index, params: { custom_authenticity_token: 1 }, as: :json
     end
   end
 
