Fix CSRF conflicts with Phoenix using automatic pipeline separation#51
Open
camilohollanda wants to merge 4 commits intotompave:masterfrom
Open
Fix CSRF conflicts with Phoenix using automatic pipeline separation#51camilohollanda wants to merge 4 commits intotompave:masterfrom
camilohollanda wants to merge 4 commits intotompave:masterfrom
Conversation
…cations This change introduces a disable_csrf option that allows host applications to disable FunWithFlags UI's built-in CSRF protection when they provide their own CSRF protection (like Phoenix applications do). Changes: - Add disable_csrf option to router configuration - Make protect_from_forgery plug conditional based on disable_csrf setting - Make CSRF token assignment conditional - Update module documentation with usage examples This resolves conflicts that occur when embedding FunWithFlags UI in Phoenix applications that already have CSRF protection enabled. Usage: forward "/feature-flags", FunWithFlags.UI.Router, disable_csrf: true
Clarify that namespace is used for internal redirects and provide a concrete example showing when and how to use it when the forward path differs from the desired UI path structure.
This commit replaces the disable_csrf configuration option with an automatic pipeline separation approach that resolves CSRF conflicts with Phoenix applications while maintaining security. Changes: - Remove disable_csrf option and related conditional logic - Implement automatic request routing by path: * /assets/* → Asset pipeline (no CSRF protection) * All other routes → Form pipeline (full CSRF protection) - Maintain CSRF tokens in HTML pages for JavaScript AJAX requests - Update documentation to explain the automatic approach Benefits: - No configuration required - works automatically - Fixes InvalidCrossOriginRequestError for JavaScript/CSS assets - Maintains security for all form submissions and API calls - Follows Phoenix pattern of separating assets from interactive routes This resolves conflicts when embedding in Phoenix applications while providing better security than fully disabling CSRF protection.
camilohollanda
changed the title
This commit adds extensive test coverage for the new pipeline separation feature that resolves CSRF conflicts with Phoenix applications. Test coverage includes: **Pipeline Separation Tests:** - Asset requests (/assets/*) go through asset pipeline without CSRF tokens - Different asset extensions (js, css, png, woff) all use asset pipeline - Form requests go through form pipeline with CSRF tokens assigned - All form routes receive CSRF tokens for JavaScript usage - POST requests work correctly with form pipeline and CSRF protection - Asset pipeline doesn't interfere with static file serving **CSRF Token Assignment Tests:** - HTML responses include CSRF tokens for JavaScript AJAX requests - Asset requests never receive CSRF tokens to avoid conflicts - Token assignment is consistent across different routes **Backward Compatibility Tests:** - All existing functionality continues to work unchanged - Namespace option works correctly with pipeline separation - Flag operations (create, read, update) work with new architecture The tests ensure the pipeline separation provides the expected security benefits (CSRF protection for forms, no conflicts for assets) while maintaining complete backward compatibility with existing usage. Tests require Redis for FunWithFlags functionality and will run in CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements automatic pipeline separation to resolve CSRF conflicts with Phoenix applications without requiring any configuration. Static assets are served without CSRF protection while interactive routes maintain full security.
Fixes #52
Problem
When embedding FunWithFlags UI in Phoenix applications, conflicts occur because static assets (JavaScript/CSS) are served through CSRF-protected routes. This results in cross-origin request errors like:
The issue occurs because:
Plug.Staticat/assetsCurrent State: README Workaround vs. User Experience
README Documents a Solution
The current README provides a workaround using
:mounted_appspipeline:Why This Creates Poor User Experience
1. Discoverability Problem
2. Non-intuitive Integration
Most Phoenix developers expect this to work:
3. Maintenance Overhead
4. Documentation Burden
:browservs:mounted_appsshould be usedSolution: Automatic Pipeline Separation
Implemented automatic pipeline separation that routes requests based on path:
/assets/*→ Asset pipeline (static file serving only, no CSRF)Architecture
This follows the Phoenix pattern:
Benefits Over Current Approach
:mounted_apps):browserpipelineUsage
No changes needed - works automatically with standard Phoenix patterns:
Testing
The implementation maintains complete backward compatibility while making the intuitive approach work automatically. This eliminates the need for users to discover and implement workarounds for CSRF conflicts.