switched to cookie-based CSRF

Oaphi · Oaphi · commit c89765622f36 · 2025-09-16T04:45:58.000+03:00
diff --git a/app/assets/javascripts/qpixel_api.js b/app/assets/javascripts/qpixel_api.js
@@ -7,12 +7,6 @@ const validators = [];
 let popped_modals_ct = 0;
 
 window.QPixel = {
-  csrfToken: () => {
-    const token = $('meta[name="csrf-token"]').attr('content');
-    QPixel.csrfToken = () => token;
-    return token;
-  },
-
   createNotification: function (type, message) {
     // Some messages include a date stamp, `append_date` governs that.
     let append_date = false;
@@ -320,7 +314,6 @@ window.QPixel = {
 
   fetch: async (uri, init) => {
     const defaultHeaders = {
-      'X-CSRF-Token': QPixel.csrfToken(),
       // X-Requested-With is necessary for request.xhr? to work
       'X-Requested-With': 'XMLHttpRequest',
       'Content-Type': 'application/json',
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -4,7 +4,7 @@
 class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :exception, store: :cookie
   before_action :configure_permitted_parameters, if: :devise_controller?
   before_action :set_globals
   before_action :enforce_signed_in, unless: :devise_controller?
@@ -417,4 +417,10 @@ def require_sudo
       redirect_to user_sudo_path
     end
   end
+
+  # default request_authenticity_tokens only checks form tokens and request.x_csrf_token
+  # for some reason, even if cookie-based strategy is officially supported, it's not checked here
+  def request_authenticity_tokens
+    super << csrf_token_storage_strategy.fetch(request)
+  end
 end
diff --git a/app/views/layouts/_head.html.erb b/app/views/layouts/_head.html.erb
@@ -71,8 +71,6 @@
   <script id="MathJax-script" async src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script>
 <% end %>
 
-<%= csrf_meta_tags %>
-
 <%= yield(:head) %>
 
 <% if content_for? :twitter_card_meta %>
diff --git a/global.d.ts b/global.d.ts
@@ -411,12 +411,6 @@ interface QPixel {
    */
   addPrePostValidation?: (callback: PostValidator) => void;
 
-  /**
-   * Get the current CSRF anti-forgery token. Should be passed as the X-CSRF-Token header when
-   * making AJAX POST requests.
-   */
-  csrfToken?: () => string;
-
   /**
    * Create a notification popup - not an inbox notification.
    * @param type the type to apply to the popup - warning, danger, etc.
