Do we need CSRF protection for the JSON feature?

[janko]

As I'm working on my "JSON API with Rodauth" screencast (I think it's been 2 years now 😅), I've encountered issues trying to handle CSRF tokens in Rails 7.2. That got me thinking, is it really necessary?

When I initially extracted the json feature out of jwt, I just assumed since the json feature by itself uses cookie-based authentication, that it needs CSRF protection just like JSON mode. However, HTML forms cannot submit requests with the Content-Type: application/json header. The Fetch API requires preflight, which can (and should) be blocked by CORS settings.

Of course, it's really easy to disable it today with check_csrf? false. However, I'm wondering whether we can disable it by default for JSON requests, like it is currently for JWT requests, or at least recommend it in the documentation. In my screencast app, I thought I figured out how to handle CSRF tokens, but then it broke with Rails 7.2. If it's not necessary, not having to deal with CSRF can significantly lower the barrier for Rodauth users implementing the JSON mode.

[jeremyevans]

I would be fine with not checking CSRF by default for json requests, for the reasons you mentioned. Can you please submit a PR for that?