I am implementing the code in this faye pub/sub tutorial(http://faye.jcoglan.com/security/csrf.html) -- go to the example rails section to see the code I am talking about.
What it does is when a message is to be published, it goes through the CsrfProtection class. Session_token comes from the csrf_token rails stores in a session, and the message_token comes from the <meta> tag authenticity token in the html code that is extracted by javascript and passed to the CsrfProtection class as a message_token. This code always seems to produce an error because the authenticity token in the html of the site, is different from the stored csrf_token in rails. After inspecting this, I realized that the rails actually encrypts and decrypts tokens, and so to properly compare the authenticity token with the csrf_token in session, one has to first decrypt it. There should be a rails method that allows you to manually compare the csrf_token with the authenticity token so one can secure pub/sub channels (and to my knowledge, publishing to a pub/sub channel doesn't go through a rails action, and so one can't use the protect_from_forgery thing). Thoughts on this? What is the way to protect the pub/sub channel from csrf protection? https://github.com/rails/rails/blob/e7feaff70f13b56a0507e9f4dfaf3ebc361cb8e6/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L197 -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-talk@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/13185daa-ab6f-4db1-8361-62ba067ae249%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
