feat: remove CSRF protection implementation from Grape API

app/api/houdini/v1/base_api.rb

@@ -2,31 +2,4 @@
 
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 class Houdini::V1::BaseAPI < Grape::API
-  # helpers ApplicationHelper
-  # helpers do
-  #   def session
-  #     env['rack.session']
-  #   end
-  #
-  #   def protect_against_forgery
-  #     unless verified_request?
-  #       error!('Unauthorized', 401)
-  #     end
-  #   end
-  #
-  #   def verified_request?
-  #     !protect_against_forgery? || request.get? || request.head? ||
-  #         form_authenticity_token == request.headers['X-CSRF-Token'] ||
-  #         form_authenticity_token == request.headers['X-Csrf-Token']
-  #   end
-  #
-  #   def form_authenticity_token
-  #     session[:_csrf_token] ||= SecureRandom.base64(32)
-  #   end
-  #
-  #   def protect_against_forgery?
-  #     allow_forgery_protection = Rails.configuration.action_controller.allow_forgery_protection
-  #     allow_forgery_protection.nil? || allow_forgery_protection
-  #   end
-  # end
 end

app/api/houdini/v1/helpers/application_helper.rb

@@ -3,39 +3,4 @@
 # License: AGPL-3.0-or-later WITH Web-Template-Output-Additional-Permission-3.0-or-later
 module Houdini::V1::Helpers::ApplicationHelper
   extend Grape::API::Helpers
-
-  def session
-    env['rack.session']
-  end
-
-  def protect_against_forgery
-    error!('Unauthorized', 401) unless verified_request?
-  end
-
-  def verified_request?
-    !protect_against_forgery? || request.get? || request.head? ||
-      form_authenticity_token == request.headers['X-CSRF-Token'] ||
-      form_authenticity_token == request.headers['X-Csrf-Token']
-  end
-
-  def form_authenticity_token
-    session[:_csrf_token] ||= SecureRandom.base64(32)
-  end
-
-  def protect_against_forgery?
-    allow_forgery_protection = Rails.configuration.action_controller.allow_forgery_protection
-    allow_forgery_protection.nil? || allow_forgery_protection
-  end
-
-  # def rescue_ar_invalid( *class_to_hash)
-  #     rescue_with ActiveRecord::RecordInvalid do |error|
-  #       output = []
-  #       error.record.errors do |attr,message|
-  #         output.push({params: "#{class_to_hash[error.record.class]}['#{attr}']",
-  #                   message: message})
-  #       end
-  #       raise Grape::Exceptions::ValidationErrors.new(output)
-  #
-  #     end
-  # end
 end

app/api/houdini/v1/nonprofit.rb

@@ -4,10 +4,6 @@
 class Houdini::V1::Nonprofit < Houdini::V1::BaseAPI
   helpers Houdini::V1::Helpers::ApplicationHelper, Houdini::V1::Helpers::RescueHelper
 
-  before do
-    protect_against_forgery
-  end
-
   desc 'Return a nonprofit.' do
     success Houdini::V1::Entities::Nonprofit
   end
@@ -16,7 +12,7 @@ class Houdini::V1::Nonprofit < Houdini::V1::BaseAPI
   end
   route_param :id do
     get do
-      np = Nonprofit.find(params[:id])
+      np = ::Nonprofit.find(params[:id])
       present np, as: Houdini::V1::Entities::Nonprofit
     end
   end
@@ -57,7 +53,7 @@ class Houdini::V1::Nonprofit < Houdini::V1::BaseAPI
     np = nil
     u = nil
     Qx.transaction do
-      np = Nonprofit.new(OnboardAccounts.set_nonprofit_defaults(declared_params[:nonprofit]))
+      np = ::Nonprofit.new(OnboardAccounts.set_nonprofit_defaults(declared_params[:nonprofit]))
 
       begin
         np.save!

app/controllers/onboard_controller.rb

@@ -2,6 +2,7 @@
 
 class OnboardController < ApplicationController
   layout 'layouts/apified'
+
   def index
     @theme = 'minimal'
   end

config/initializers/session_store.rb

@@ -2,4 +2,4 @@
 
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_commitchange_session'
+Rails.application.config.session_store :cookie_store, key: ENV['COOKIE_STORE_KEY'] || '_commitchange_session'

package-lock.json

@@ -10583,8 +10583,7 @@
         "ansi-regex": {
           "version": "2.1.1",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "aproba": {
           "version": "1.2.0",
@@ -10605,14 +10604,12 @@
         "balanced-match": {
           "version": "1.0.0",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "brace-expansion": {
           "version": "1.1.11",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "balanced-match": "^1.0.0",
             "concat-map": "0.0.1"
@@ -10627,20 +10624,17 @@
         "code-point-at": {
           "version": "1.1.0",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "concat-map": {
           "version": "0.0.1",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "console-control-strings": {
           "version": "1.1.0",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "core-util-is": {
           "version": "1.0.2",
@@ -10757,8 +10751,7 @@
         "inherits": {
           "version": "2.0.3",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "ini": {
           "version": "1.3.5",
@@ -10770,7 +10763,6 @@
           "version": "1.0.0",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "number-is-nan": "^1.0.0"
           }
@@ -10785,7 +10777,6 @@
           "version": "3.0.4",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "brace-expansion": "^1.1.7"
           }
@@ -10793,14 +10784,12 @@
         "minimist": {
           "version": "0.0.8",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "minipass": {
           "version": "2.3.5",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "safe-buffer": "^5.1.2",
             "yallist": "^3.0.0"
@@ -10819,7 +10808,6 @@
           "version": "0.5.1",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "minimist": "0.0.8"
           }
@@ -10900,8 +10888,7 @@
         "number-is-nan": {
           "version": "1.0.1",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "object-assign": {
           "version": "4.1.1",
@@ -10913,7 +10900,6 @@
           "version": "1.4.0",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "wrappy": "1"
           }
@@ -10999,8 +10985,7 @@
         "safe-buffer": {
           "version": "5.1.2",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "safer-buffer": {
           "version": "2.1.2",
@@ -11036,7 +11021,6 @@
           "version": "1.0.2",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "code-point-at": "^1.0.0",
             "is-fullwidth-code-point": "^1.0.0",
@@ -11056,7 +11040,6 @@
           "version": "3.0.1",
           "bundled": true,
           "dev": true,
-          "optional": true,
           "requires": {
             "ansi-regex": "^2.0.0"
           }
@@ -11100,14 +11083,12 @@
         "wrappy": {
           "version": "1.0.2",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         },
         "yallist": {
           "version": "3.0.3",
           "bundled": true,
-          "dev": true,
-          "optional": true
+          "dev": true
         }
       }
     },