Merge pull request #119 from jordanhiltunen/align-xsrf-cookie-provisioning-with-laravel-precedent

bknoles · web-flow · commit 6aa0edfc1693 · 2024-05-27T16:55:03.000-05:00
Align CSRF cookie provisioning with Laravel's precedents to eliminate ActionController::InvalidAuthenticityToken edge cases
diff --git a/lib/inertia_rails/controller.rb b/lib/inertia_rails/controller.rb
@@ -13,7 +13,7 @@ module Controller
       helper ::InertiaRails::Helper
 
       after_action do
-        cookies['XSRF-TOKEN'] = form_authenticity_token unless request.inertia? || !protect_against_forgery?
+        cookies['XSRF-TOKEN'] = form_authenticity_token unless !protect_against_forgery?
       end
     end
 
diff --git a/spec/dummy/app/controllers/inertia_session_continuity_test_controller.rb b/spec/dummy/app/controllers/inertia_session_continuity_test_controller.rb
@@ -0,0 +1,15 @@
+class InertiaSessionContinuityTestController < ApplicationController
+  def initialize_session
+    render inertia: 'TestNewSessionComponent'
+  end
+
+  def submit_form_to_test_csrf
+    render inertia: 'TestComponent'
+  end
+
+  def clear_session
+    session.clear
+
+    return redirect_to initialize_session_path
+  end
+end
diff --git a/spec/dummy/config/routes.rb b/spec/dummy/config/routes.rb
@@ -41,4 +41,8 @@
   get 'merge_instance_props' => 'inertia_merge_instance_props#merge_instance_props'
 
   get 'lamda_shared_props' => 'inertia_lambda_shared_props#lamda_shared_props'
+
+  get 'initialize_session' => 'inertia_session_continuity_test#initialize_session'
+  post 'submit_form_to_test_csrf' => 'inertia_session_continuity_test#submit_form_to_test_csrf'
+  delete 'clear_session' => 'inertia_session_continuity_test#clear_session'
 end
diff --git a/spec/inertia/request_spec.rb b/spec/inertia/request_spec.rb
@@ -113,7 +113,7 @@
 
       context 'it is an inertia call' do
         let(:headers){ { 'X-Inertia' => true } }
-        it { is_expected.not_to include('XSRF-TOKEN') }
+        it { is_expected.to include('XSRF-TOKEN') }
       end
     end
 
@@ -131,5 +131,27 @@
         it { is_expected.to be_nil }
       end
     end
+
+    it 'sets the XSRF-TOKEN cookie after the session is cleared during an inertia call' do
+      with_forgery_protection do
+        get initialize_session_path
+        expect(response).to have_http_status(:ok)
+        initial_xsrf_token_cookie = response.cookies['XSRF-TOKEN']
+
+        post submit_form_to_test_csrf_path, headers: { 'X-Inertia' => true, 'X-XSRF-Token' => initial_xsrf_token_cookie }
+        expect(response).to have_http_status(:ok)
+
+        delete clear_session_path, headers: { 'X-Inertia' => true, 'X-XSRF-Token' => initial_xsrf_token_cookie }
+        expect(response).to have_http_status(:see_other)
+        expect(response.headers['Location']).to eq('http://www.example.com/initialize_session')
+
+        post_logout_xsrf_token_cookie = response.cookies['XSRF-TOKEN']
+        expect(post_logout_xsrf_token_cookie).not_to be_nil
+        expect(post_logout_xsrf_token_cookie).not_to eq(initial_xsrf_token_cookie)
+
+        post submit_form_to_test_csrf_path, headers: { 'X-Inertia' => true, 'X-XSRF-Token' => post_logout_xsrf_token_cookie }
+        expect(response).to have_http_status(:ok)
+      end
+    end
   end
 end
