Replace configurable CSRF with automatic pipeline separation

camilohollanda · camilohollanda · commit 54015501af65 · 2026-02-10T18:44:10.000-03:00
This commit replaces the disable_csrf configuration option with an
automatic pipeline separation approach that resolves CSRF conflicts
with Phoenix applications while maintaining security.

Changes:
- Remove disable_csrf option and related conditional logic
- Implement automatic request routing by path:
  * /assets/* → Asset pipeline (no CSRF protection)
  * All other routes → Form pipeline (full CSRF protection)
- Maintain CSRF tokens in HTML pages for JavaScript AJAX requests
- Update documentation to explain the automatic approach

Benefits:
- No configuration required - works automatically
- Fixes InvalidCrossOriginRequestError for JavaScript/CSS assets
- Maintains security for all form submissions and API calls
- Follows Phoenix pattern of separating assets from interactive routes

This resolves conflicts when embedding in Phoenix applications while
providing better security than fully disabling CSRF protection.
diff --git a/lib/fun_with_flags/ui/router.ex b/lib/fun_with_flags/ui/router.ex
@@ -2,12 +2,21 @@ defmodule FunWithFlags.UI.Router do
   @moduledoc """
   A `Plug.Router`. This module is meant to be plugged into host applications.
 
+  ## CSRF Protection
+
+  This router uses automatic pipeline separation to handle CSRF protection:
+
+  * **Static assets** (`/assets/*`) - Served directly without CSRF protection
+  * **Interactive routes** (forms, API endpoints) - Full CSRF protection applied
+  * **HTML pages** - Include CSRF tokens for JavaScript to use in AJAX requests
+
+  This approach resolves conflicts with Phoenix applications while maintaining security
+  for form submissions and API calls.
+
   ## Options
 
   * `:namespace` - Path prefix for internal redirects. Use when the UI is mounted
     under a sub-path that differs from the forward path (default: `""`)
-  * `:disable_csrf` - Disable CSRF protection when the host application
-    provides its own CSRF protection (default: `false`)
 
   ## Usage
 
@@ -17,9 +26,6 @@ defmodule FunWithFlags.UI.Router do
       # With namespace - forward at /admin but UI redirects go to /admin/feature-flags/*
       forward "/admin", FunWithFlags.UI.Router, namespace: "feature-flags"
 
-      # Disable CSRF when host app provides protection
-      forward "/feature-flags", FunWithFlags.UI.Router, disable_csrf: true
-
   See the [Readme](/fun_with_flags_ui/readme.html#how-to-run) for more detailed instructions.
   """
   require Logger
@@ -32,26 +38,13 @@ defmodule FunWithFlags.UI.Router do
 
   plug Plug.Logger, log: :debug
 
-  plug Plug.Static,
-    gzip: true,
-    at: "/assets",
-    from: :fun_with_flags_ui
-
-  plug :maybe_protect_from_forgery, Plug.CSRFProtection.init([])
-  plug :maybe_assign_csrf_token
-
-  plug Plug.Parsers, parsers: [:urlencoded]
-  plug Plug.MethodOverride
-
+  plug :route_by_type
   plug :match
   plug :dispatch
 
   @doc false
   def call(conn, opts) do
-    conn =
-      conn
-      |> extract_namespace(opts)
-      |> extract_csrf_config(opts)
+    conn = extract_namespace(conn, opts)
     super(conn, opts)
   end
 
@@ -308,32 +301,33 @@ defmodule FunWithFlags.UI.Router do
   end
 
 
-  defp extract_csrf_config(conn, opts) do
-    disable_csrf = opts[:disable_csrf] || false
-    Plug.Conn.put_private(conn, :fun_with_flags_disable_csrf, disable_csrf)
-  end
-
-
-  defp csrf_disabled?(conn) do
-    conn.private[:fun_with_flags_disable_csrf] == true
+  defp route_by_type(conn, _opts) do
+    case conn.request_path do
+      "/assets" <> _ ->
+        asset_pipeline(conn)
+      _ ->
+        form_pipeline(conn)
+    end
   end
 
 
-  defp maybe_protect_from_forgery(conn, opts) do
-    if csrf_disabled?(conn) do
-      conn
-    else
-      protect_from_forgery(conn, opts)
-    end
+  defp asset_pipeline(conn) do
+    # Assets pipeline: only serve static files, no CSRF protection
+    Plug.Static.call(conn,
+      gzip: true,
+      at: "/assets",
+      from: :fun_with_flags_ui
+    )
   end
 
 
-  defp maybe_assign_csrf_token(conn, opts) do
-    if csrf_disabled?(conn) do
-      conn
-    else
-      assign_csrf_token(conn, opts)
-    end
+  defp form_pipeline(conn) do
+    # Form pipeline: full CSRF protection for interactive routes
+    conn
+    |> protect_from_forgery(Plug.CSRFProtection.init([]))
+    |> assign_csrf_token([])
+    |> Plug.Parsers.call(parsers: [:urlencoded])
+    |> Plug.MethodOverride.call([])
   end
 
 
