-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RoR forms project - Update CSRF token related sections #29165
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for taking the time to make these changes to these two lessons. There are a few small things that I think we need to change, so that the layout matches the rest of the lesson/curriculum. I left a few suggestions to try and illustrate why I am requesting a change, but I am open to other ideas as well.
1. CSRF Safety: | ||
From Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. | ||
In the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When using our markdown preview tool, I don't really like having the "CSRF Safety:" and the last sentence on different lines look. I propose rewording slightly to putting them all on 1 line, something like this:
1. CSRF Safety: | |
From Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. | |
In the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. | |
1. For CSRF safety with Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. Then, in the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated as proposed
### Making forms into params | ||
|
||
What about the other form inputs, the ones we actually care about? | ||
### Railsifying your form - Making forms input into params |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of combining these two titles with a hyphen, I'd prefer to combine them together. Maybe something like this:
### Railsifying your form - Making forms input into params | |
### Railsifying your form by making the forms input into params |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated as proposed
1. Check your inspector and your `application.html.erb` template. See a CSRF token that s always available? | ||
Remove this one too from `application.html.erb`, and verify that the server hits back with a CSRF error. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a typo here: "that s always available?".
Also, I'm not a big fan of how this looks in the markdown preview. I would either put these two lines on the same line, or add an empty line in between (line lines 118-120).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated and put in a single paragraph.
1. Re-enable form submission with Turbo by removing the `data-turbo=false` attribute on the form tag, then also remove the hidden input with CSRF token tag and submit. | ||
|
||
No more CSRF error!?! | ||
The from is now submitted with Turbo, yet Rails still protects you by verifying a CSRF token. Where does this token comes from? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not a fan of how these lines lay out in the markdown preview either, though I don't really have a great solution in mind. Maybe add an empty line between 120 and 121?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here I have added an empty line to keep the "No more CSRF error" as a standalone observation that the reader should pause on. I did not put it on a separate numbered list item as it s not a new task.
Thanks for the review 🙏 |
@rlmoser99 Or if you think the changes are not necessary and the PR should be closed. |
Because
Turbo is enabled by default from Rails 7 but tasks related to CSRF token in the first rails form project do not take into account default form behavior with Turbo.
This PR
Issue
Closes #28932
Additional Information
NA
Pull Request Requirements
location of change: brief description of change
format, e.g.Intro to HTML and CSS lesson: Fix link text
Because
section summarizes the reason for this PRThis PR
section has a bullet point list describing the changes in this PRIssue
section