Fix Rails 7.1 CSRF token support #296
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chadlwilson
force-pushed
the
fix-rails-71-session-usage
branch
6 times, most recently
from
f654991 to
31ad419
Compare
chadlwilson
force-pushed
the
fix-rails-71-session-usage
branch
5 times, most recently
from
5bf7143 to
fc527fa
Compare
chadlwilson
changed the title
Contributor
Author
|
@kares if you could take a look, it'd be much appreciated! |
Previous lock files included a zeitwerk version requiring Ruby 3.2, i.e JRuby 10 causing unnecessary variation at install time.
chadlwilson
force-pushed
the
fix-rails-71-session-usage
branch
from
b149e13 to
ef22fbc
Compare
kares
reviewed
Jul 22, 2025
Member
kares
left a comment
kares
left a comment
There was a problem hiding this comment.
👍 haven't tried or investigated all the changes in Rack but this looks reasonable to me.
also invited you to the jruby-rack team, you should be able to merge these on your own now.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #295 by replicating logic below from Rails
abstract_storewhich propagates the CSRF token from the request environment only duringcommit_session.rails/rails@f2c66ce#diff-5207bc67aa19cddd5a4997dec3c69fa4ba541750fbd881c6f7e30b27df9ea9ddR70-R73
rails/rails@f2c66ce#diff-5f81b06a0e3051b576daee16c960b21e715a6cc26d97d020c546d2fa697c9bc6R345-R348
I couldn't really find an alternate approach that seemed better, e.g by re-using the Rails code directly (either
Request.commit_csrf_tokenorAbstractStore.commit_session). This is because in the jruby-rack case, the request object that the store sees appears to be aRack::Requestwhereas the Railsabstract_storecode expects anActionDispatch::Requestsoreq.commit_csrf_tokenis not defined. I couldn't find a way to cleanly access theActionDIspatch::Requestfrom theRack::Requesteither.How this all works earlier is a bit confusing for me, and the current approach is obviously somewhat coupled to the current Rails 7.1/7.2/8.0 behaviour, but it seemed possibly OK given the otherwise deep integration we are dealing with here? The way they have implemented this in Rails doesn't seem great to me due to the need for
AbstractStoreto now understand when to invoke a special CSRF hook, so this has created a bit more coupling for us.Additional minor technical changes
::Rack::Session::Abstract::Persistedto fix warningscontext(env)and align signatures for overridden functions with Rack 2.2.x for easy of understanding (the only supported Rack version for jruby-rack 1.2)::Persistedrather than legacy::ID(delete_sessionrather thandestroy_session,write_sessionrather thanset_session)