ruby on rails 4 - CSRF token session_store with ember-simple-auth alongside Devise -


is possible implement rails csrf through cookie_store @ same while using ember-simple-auth devise?

guides one deactivate rails.application.config.session_store understanding not allow rails keep track of csrf tokens causes rails lose track of sessionsg. after attempting many solutions including:

  1. require jquery_ujs on rails manifesto.
  2. rails.application.config.session_store :disabled.
  3. https://github.com/abuiles/rails-csrf.
  4. changing ember.js adapter append csrf.

the end result still pretty same:

can't verify csrf token authenticity followed completed 422 unprocessable entity if protect_from_forgery set :exception instead of :null_session.

example transaction:

partial request header:

x-csrf-token:1vgiz6mfv4kdj0yygfidq54dv2rjeiaq57o05psdndlaqsxmzegdqioesyawg1bz+dg7oi6i2xxababsowqbrq==

responder header

   http/1.1 422 unprocessable entity    content-type: text/plain; charset=utf-8    x-request-id: 71e94632-ad98-4b3f-97fb-e274a2ec1c7e    x-runtime: 0.050747    content-length: 74162    response attaches following:   session dump   _csrf_token: "jfjdzkn/kodnnjm0dxlutmssemidqxj7u/hrgmsd3de="

the rails-csrf response csrf branch (branch has been deleted).

beforemodel() {     return this.csrf.fetchtoken(); },  partial dump of return statement:  _result: object param: "authenticity_token" token: "1vgiz6mfv4kdj0yygfidq54dv2rjeiaq57o05psdndlaqsxmzegdqioesyawg1bz+dg7oi6i2xxababsowqbrq=="

from understanding, of these attempted solutions have common root: session_store disabled...

update!

the answer below turned out wrong in nature after learning more csrf protection , ember-cli-rails.

the idea here have 2 storages: cookie-based storage csrf token maintained rails, , localstorage maintained ember-simple-auth user authenticity token, email , id being taken care of while custom session sessionaccount inherits values , validates them against server before setting user available entire ember.js.

the validation sessionaccount occurs in order detect tampering localstorage. validation occurs every time sessionaccount queries localstorage (e.g page reload) communicates server through token model (token, email , id.) server responds 200 or 404 through tokenserializer renders email or validation error, not disclosing frontend see other authentication_tokens unless user sign in through login form requires email , password.

from understanding, weak spots in methodology not susceptible enough hackable unless:

  • someone invades server , database content. although passwords salted, person has database dump can change localstorage token, email , id person want impersonate , server validation work. however, can minimized worker changes authentication token non-logged in users every 24 hours (or other timeframe.) code example section not have worker since still have not learned them.
  • someone know password , email of person want hack... not can 1 @ moment.
  • someone intercept data being passed around through json api. strong ssl implementation should job.
  • if sessionaccount has in lines of is_admin, token sent alongside post request admin requests in order further backend validation since can never trust frontend.
  • something else? ones aware of.

now onto practical approach:

  1. set rails.application.config.session_store :csrf_cookie_store, key: '_xxxxx_id', httponly: false on session_store.db.
  2. create csrf_cookie_store under lib , require on application.rb require 'csrf_cookie_store'.
  3. set protect_from_forgery with: :exception on application.rb.
  4. create tokencontroller handle validation.
  5. tokenserializer email sent back.
  6. update devise session controller change token upon login , skip authenticity token validation on session destroy.
  7. check routes tokens create , have custom devise session.
  8. create ember.js token model
  9. match sessionaccount created.
  10. update devise authenticator send delete request server when session being invalidated.
  11. test out.

Comments

Post a Comment

Popular posts from this blog

get url and add instance to a model with prefilled foreign key :django admin -

Image
i have page in each contest shown in row. each row contains contest id , link other model names have foreign key contest. news model: class news(models.model): title = models.charfield(max_length=50, null=true) description = models.textfield() time = models.timefield( default= datetime.datetime.now().time()) contest = models.foreignkey(contest) i want use admin adding , changing these models. want when user clicks on 'news' has foreign key contest id=1, shows list of news value foreign key. use {% instance in instances %} <tr class="{% cycle 'row1' 'row2' %}"> <td>{{ instance.title }}</td> <td>{{ instance.starttime }}</td> <td>{{ instance.timespan }}</td> <td>{{ instance.date }}</td> <td><a href="/adm
Read more

css - Make div keyboard-scrollable in jQuery Mobile? -

from can tell, although jquery-mobile-powered pages can contain divs overflow set scroll or auto, , these divs can scrolled one-screen bar or mouse wheel, cannot scrolled using arrow keys, page-up/page-down, or home/end. instead, official "page" div (with data-role="page") absorbs input. perhaps other divs can't acquire focus, i'm not sure. is there way around this? edit: jsfiddle of simple example: https://jsfiddle.net/qogz0shx/ <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"/> <style> #outer { overflow:scroll; height: 50vh; width: 50vw; } #inner { height: 500vh; width: 500vw; } &l
Read more

ruby on rails - Seeing duplicate requests handled with Unicorn -

recently upgraded our ec2 instances c3.large in order boost more unicorn workers handle increased traffic our site. (6xworkers per machine - 2 ec2 instances). when did this, started seeing duplicate records being created! looks somehow, maybe 2 unicorn workers attempting process same request? in nginx logs see 1 [post] request particular rails controller - yet 2 records being created in database. i'm hitting kind of race condition issue - have no idea how debug this. doesn't happen time, when it's frustrating well. noticed 2 database records within 5 seconds of each other. (and yes disable button when user clicks submit button). unicorn 4.8.2 ruby 1.9.3 rails 3.2.14 any great! thanks! although may not fix problem, upgrade ruby 2.0.0. there blog mentioning idea upgrade ruby 2.0.0 if using unicorn. for example: https://www.digitalocean.com/community/articles/how-to-optimize-unicorn-workers-in-a-ruby-on-rails-app specifically: if using ruby 1.9,
Read more