Version 4.5.0

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 4.5.0 (21-Sep-20)
+
+* Added a new [`HttpOnly` option](https://github.com/jsanders/angular_rails_csrf#httponly-cookie) (thanks, [@Lubo-mir](https://github.com/Lubo-mir))
+* Introduced some code refactorings
+
 ## 4.4.0 (04-Aug-20)
 
 * Make the gem play nicely with controllers that do not have `protect_against_forgery?` method defined — for example, certain Doorkeeper controllers (thanks, [@amenz](https://github.com/amenz))

README.md

@@ -84,7 +84,7 @@ Please note that [Safari is known to have issues](https://bugs.webkit.org/show_b
 
 ### HttpOnly Cookie
 
-To set a "httponly" flag for the cookie, set the `angular_rails_csrf_httponly` option to `true`:
+To set the ["httponly" flag](https://owasp.org/www-community/HttpOnly) for your cookie, set the `angular_rails_csrf_httponly` option to `true`:
 
 ```ruby
 # application.rb

angular_rails_csrf.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rake', '~> 13.0'
   s.add_development_dependency 'test-unit', '~> 3.2'
   if ENV['TEST_RAILS_VERSION'].nil?
-    s.add_development_dependency 'rails', '6.0.3.2'
+    s.add_development_dependency 'rails', '6.0.3.3'
   else
     s.add_development_dependency 'rails', ENV['TEST_RAILS_VERSION'].to_s
   end

lib/angular_rails_csrf/concern.rb

@@ -13,19 +13,20 @@ def set_xsrf_token_cookie
 
       config = Rails.application.config
 
-      same_site = same_site_from config
-      httponly = httponly_from config
-      secure = secure_from config
+      secure = option_from config, :angular_rails_csrf_secure
+      same_site = option_from config, :angular_rails_csrf_same_site, :lax
 
       cookie_options = {
         value: form_authenticity_token,
-        domain: domain_from(config),
+        domain: option_from(config, :angular_rails_csrf_domain),
         same_site: same_site,
-        httponly: httponly,
+        httponly: option_from(config, :angular_rails_csrf_httponly, false),
         secure: same_site.eql?(:none) || secure
       }
 
-      cookie_name = cookie_name_from config
+      cookie_name = option_from(config,
+                                :angular_rails_csrf_cookie_name,
+                                'XSRF-TOKEN')
       cookies[cookie_name] = cookie_options
     end
 
@@ -35,24 +36,10 @@ def verified_request?
 
     private
 
-    def same_site_from(config)
-      config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax
-    end
-
-    def httponly_from(config)
-      config.respond_to?(:angular_rails_csrf_httponly) ? config.angular_rails_csrf_httponly : false
-    end
-
-    def secure_from(config)
-      config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure)
-    end
-
-    def domain_from(config)
-      config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
-    end
-
-    def cookie_name_from(config)
-      config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
+    # Fetches the given option from config
+    # If the option is not set, return a default value
+    def option_from(config, option, default = nil)
+      config.respond_to?(option) ? config.send(option) : default
     end
 
     module ClassMethods

lib/angular_rails_csrf/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AngularRailsCsrf
-  VERSION = '4.4.0'
+  VERSION = '4.5.0'
 end