RoR forms project - Update CSRF token related sections #29165
Conversation
github-actions
bot
added
the
Content: Ruby on Rails
jg-k
changed the title
wise-king-sullyman
requested review from
a team and
rlmoser99
and removed request for
a team
There was a problem hiding this comment.
Thank you for taking the time to make these changes to these two lessons. There are a few small things that I think we need to change, so that the layout matches the rest of the lesson/curriculum. I left a few suggestions to try and illustrate why I am requesting a change, but I am open to other ideas as well.
| 1. CSRF Safety: | ||
| From Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. | ||
| In the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. |
There was a problem hiding this comment.
When using our markdown preview tool, I don't really like having the "CSRF Safety:" and the last sentence on different lines look. I propose rewording slightly to putting them all on 1 line, something like this:
| 1. CSRF Safety: | |
| From Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. | |
| In the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. | |
| 1. For CSRF safety with Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. Then, in the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. |
| ### Making forms into params | ||
|
|
||
| What about the other form inputs, the ones we actually care about? | ||
| ### Railsifying your form - Making forms input into params |
There was a problem hiding this comment.
Instead of combining these two titles with a hyphen, I'd prefer to combine them together. Maybe something like this:
| ### Railsifying your form - Making forms input into params | |
| ### Railsifying your form by making the forms input into params |
| 1. Check your inspector and your `application.html.erb` template. See a CSRF token that s always available? | ||
| Remove this one too from `application.html.erb`, and verify that the server hits back with a CSRF error. |
There was a problem hiding this comment.
There is a typo here: "that s always available?".
Also, I'm not a big fan of how this looks in the markdown preview. I would either put these two lines on the same line, or add an empty line in between (line lines 118-120).
There was a problem hiding this comment.
Updated and put in a single paragraph.
| 1. Re-enable form submission with Turbo by removing the `data-turbo=false` attribute on the form tag, then also remove the hidden input with CSRF token tag and submit. | ||
|
|
||
| No more CSRF error!?! | ||
| The from is now submitted with Turbo, yet Rails still protects you by verifying a CSRF token. Where does this token comes from? |
There was a problem hiding this comment.
I am not a fan of how these lines lay out in the markdown preview either, though I don't really have a great solution in mind. Maybe add an empty line between 120 and 121?
There was a problem hiding this comment.
Here I have added an empty line to keep the "No more CSRF error" as a standalone observation that the reader should pause on. I did not put it on a separate numbered list item as it s not a new task.
|
Thanks for the review 🙏 |
|
@rlmoser99 Or if you think the changes are not necessary and the PR should be closed. |
Because
Turbo is enabled by default from Rails 7 but tasks related to CSRF token in the first rails form project do not take into account default form behavior with Turbo.
This PR
Issue
Closes #28932
Additional Information
NA
Pull Request Requirements
location of change: brief description of changeformat, e.g.Intro to HTML and CSS lesson: Fix link textBecausesection summarizes the reason for this PRThis PRsection has a bullet point list describing the changes in this PRIssuesection