Problem after updating to 0.4.0


#1

Good day,

After updating lotusrb to 0.4.0 I’m getting this error after login in my web app:

Lotus::Action::InvalidCSRFTokenError: Lotus::Action::InvalidCSRFTokenError

My application.rb is like this:

sessions :cookie, key: "myapp.web", secret: ENV['WEB_SESSIONS_SECRET']`} 

Is there any extra change needed to be made to the sessions secrets after the update?

Thanks in advance.


#2

@pastuxo found the problem.

We included the hidden csrf_token field in our forms:

%input{:name => "_csrf_token", :type => "hidden", :value => csrf_token}

That inclusion is not needed if form helpers are used.


#3

Lotus 0.4.0 enables by default CSRF protection, I recommend to use form helpers instead use this workaround but it’s valid.

I talked with @darwinrc in the chat. Closing this issue.


#4

#5

@darwinrc I also remember you that you can bypass the CSRF protection by overriding #verify_csrf_token? in the related action:

module Web::Controllers::Books
  class Create
    include Web::Action

    def call(params)
      # ...
    end

    private

    def verify_csrf_token?
      false
    end
  end
end

Ref: https://github.com/lotus/lotus/pull/248