Merge pull request #96 from inertiajs/csrf-via-middleware

Set up Rails CSRF to play nice with Axios default CSRF behavior

Author: bknoles

lib/generators/inertia_rails/install/react/inertia.jsx

@@ -1,21 +1,17 @@
 import { App } from '@inertiajs/inertia-react';
 import React from 'react';
 import { render } from 'react-dom';
-import axios from 'axios';
 import { InertiaProgress } from '@inertiajs/progress';
 
 document.addEventListener('DOMContentLoaded', () => {
   InertiaProgress.init();
   const el = document.getElementById('app')
 
-  const csrfToken = document.querySelector('meta[name=csrf-token]').content;
-  axios.defaults.headers.common['X-CSRF-Token'] = csrfToken;
-
   render(
     <App
       initialPage={JSON.parse(el.dataset.page)}
       resolveComponent={name => require(`../Pages/${name}`).default}
     />,
     el
   )
-});
+});

lib/generators/inertia_rails/install/svelte/inertia.js

@@ -1,12 +1,7 @@
-import axios from 'axios'
-
 import { createInertiaApp } from '@inertiajs/inertia-svelte'
 import { InertiaProgress } from '@inertiajs/progress'
 
 document.addEventListener('DOMContentLoaded', () => {
-  const csrfToken = document.querySelector('meta[name=csrf-token]').content
-  axios.defaults.headers.common['X-CSRF-Token'] = csrfToken
-
   InertiaProgress.init()
 
   createInertiaApp({
@@ -16,4 +11,4 @@ document.addEventListener('DOMContentLoaded', () => {
       new App({ target: el, props })
     },
   })
-})
+})

lib/generators/inertia_rails/install/vue/inertia.js

@@ -1,13 +1,9 @@
-import axios from 'axios'
 import Vue from 'vue'
 
 import { app, plugin } from '@inertiajs/inertia-vue'
 import { InertiaProgress } from '@inertiajs/progress'
 
 document.addEventListener('DOMContentLoaded', () => {
-  const csrfToken = document.querySelector('meta[name=csrf-token]').content
-  axios.defaults.headers.common['X-CSRF-Token'] = csrfToken
-
   InertiaProgress.init();
   const el = document.getElementById('app')
 

lib/inertia_rails/controller.rb

@@ -11,6 +11,10 @@ module Controller
         InertiaRails.share(errors: session[:inertia_errors]) if session[:inertia_errors].present?
       end
       helper ::InertiaRails::Helper
+
+      after_action do
+        cookies['XSRF-TOKEN'] = form_authenticity_token unless request.inertia? || !protect_against_forgery?
+      end
     end
 
     module ClassMethods

lib/inertia_rails/middleware.rb

@@ -18,6 +18,7 @@ def initialize(app, env)
       end
 
       def response
+        copy_xsrf_to_csrf!
         status, headers, body = @app.call(@env)
         request = ActionDispatch::Request.new(@env)
 
@@ -89,6 +90,10 @@ def force_refresh(request)
         request.flash.keep
         Rack::Response.new('', 409, {'X-Inertia-Location' => request.original_url}).finish
       end
+
+      def copy_xsrf_to_csrf!
+        @env['HTTP_X_CSRF_TOKEN'] = @env['HTTP_X_XSRF_TOKEN'] if @env['HTTP_X_XSRF_TOKEN'] && inertia_request?
+      end
     end
   end
 end

spec/inertia/request_spec.rb

@@ -96,4 +96,40 @@
 
     it { is_expected.to eq 302 }
   end
+
+  describe 'CSRF' do
+    describe 'it sets the XSRF-TOKEN in the cookies' do
+      subject { response.cookies }
+      before do
+        with_forgery_protection do
+          get inertia_request_test_path, headers: headers
+        end
+      end
+
+      context 'it is not an inertia call' do
+        let(:headers) { Hash.new }
+        it { is_expected.to include('XSRF-TOKEN') }
+      end
+
+      context 'it is an inertia call' do
+        let(:headers){ { 'X-Inertia' => true } }
+        it { is_expected.not_to include('XSRF-TOKEN') }
+      end
+    end
+
+    describe 'copying an X-XSRF-Token header (like Axios sends by default) into the X-CSRF-Token header (that Rails looks for by default)' do
+      subject { request.headers['X-CSRF-Token'] }
+      before { get inertia_request_test_path, headers: headers }
+
+      context 'it is an inertia call' do
+        let(:headers) {{ 'X-Inertia' => true, 'X-XSRF-Token' => 'foo' }}
+        it { is_expected.to eq 'foo' }
+      end
+
+      context 'it is not an inertia call' do
+        let(:headers) { { 'X-XSRF-Token' => 'foo' } }
+        it { is_expected.to be_nil }
+      end
+    end
+  end
 end

spec/rails_helper.rb

@@ -9,6 +9,10 @@
 # Prevent database truncation if the environment is production
 abort("The Rails environment is running in production mode!") if Rails.env.production?
 require 'rspec/rails'
+# Require the spec/support directory and its subdirectories.
+Dir[Rails.root.join('spec', 'support', '**', '*.rb')].each { |f| require f }
+
+require_relative './support/helper_module'
 # Add additional requires below this line. Rails is not loaded until this point!
 # Requires supporting ruby files with custom matchers and macros, etc, in
 # spec/support/ and its subdirectories. Files matching `spec/**/*_spec.rb` are
@@ -45,6 +49,8 @@
   config.filter_rails_from_backtrace!
   # arbitrary gems may also be filtered via:
   # config.filter_gems_from_backtrace("gem name")
+
+  config.include HelperModule
 end
 
 require 'rails-controller-testing'

spec/support/helper_module.rb

@@ -0,0 +1,11 @@
+module HelperModule
+  def with_forgery_protection
+    orig = ActionController::Base.allow_forgery_protection
+    begin
+      ActionController::Base.allow_forgery_protection = true
+      yield if block_given?
+    ensure
+      ActionController::Base.allow_forgery_protection = orig
+    end
+  end
+end