Rack::Protection together with Rails >=5.2.4.3 & >= 6.0.3.1 - CSRF check is broken

[mobilutz]

Because of a CVE, rails changed their CSRF handling a little with the version from above, see for example the change in 5.2.4.3:
rails/rails@d124f19

Now, Rack::Protection::AuthenticityToken and rails don't do the exact same thing anymore, which breaks some of our application as some they are Rack apps.

I already have a working prototype, I just need to polish this a bit and create a PR out of it.

I just wanted to make you aware, that the CSRF handling between rails and Rack::Protection is different now.

[jkowens]

@mobilutz thanks for filing this report. We'll get work on getting this fixed.

[jkowens]

Btw if you do have a PR in the works feel free to send it up 😉

[jkowens]

@mobilutz after further investigation, it looks like Rack::Protection::AuthenticityToken based it's csrf protection on Rails methodology, but never guaranteed they would be interoperable. I'm interested to hear more about how you configured that since Rack::Protection::AuthenticityToken uses a different session key for the csrf token than Rails.

[mobilutz]

@jkowens As we are using Rack-Protection for a grape integration in a bigger Rails apps, we can easily use Rails' code.
We are monkey-patching the code for now 😕

[jkowens]

I think the question is should we add per form authenticity token capabilities. If we do that, I can see the justification in following suite and also adding the HMAC hashing. This PR describes why it was added to Rails CSRF protection:

rails/rails#22275

@namusyaka do you think we should consider adding per form authenticity tokens as an optional capability?

[jkowens]

@mobilutz I've opened PR #1653 that should address this request. If you have a chance to test out my branch that would be great.