Improve web api protect (#6343)

2018-04-17 22:23:46 +09:00 · 2018-04-17 22:23:46 +09:00 · 897199910f
commit 897199910f
parent 204d72fbe4
6 changed files with 18 additions and 10 deletions
--- a/app/controllers/api/web/base_controller.rb
+++ b/app/controllers/api/web/base_controller.rb
@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class Api::Web::BaseController < Api::BaseController
+  protect_from_forgery with: :exception
+
+  rescue_from ActionController::InvalidAuthenticityToken do
+    render json: { error: "Can't verify CSRF token authenticity." }, status: 422
+  end
+end
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-class Api::Web::EmbedsController < Api::BaseController
+class Api::Web::EmbedsController < Api::Web::BaseController
  respond_to :json

  before_action :require_user!
--- a/app/controllers/api/web/push_subscriptions_controller.rb
+++ b/app/controllers/api/web/push_subscriptions_controller.rb
@ -1,10 +1,9 @@
 # frozen_string_literal: true

-class Api::Web::PushSubscriptionsController < Api::BaseController
+class Api::Web::PushSubscriptionsController < Api::Web::BaseController
  respond_to :json

  before_action :require_user!
-  protect_from_forgery with: :exception

  def create
    active_session = current_session
--- a/app/controllers/api/web/settings_controller.rb
+++ b/app/controllers/api/web/settings_controller.rb
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-class Api::Web::SettingsController < Api::BaseController
+class Api::Web::SettingsController < Api::Web::BaseController
  respond_to :json

  before_action :require_user!