Allow provision of csrf cookie secure flag (#35)

jsanders · Feb 3, 2020 · de3f815 · de3f815
1 parent 3ee0257
commit de3f815
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/lib/angular_rails_csrf/concern.rb b/lib/angular_rails_csrf/concern.rb
@@ -12,9 +12,15 @@ def set_xsrf_token_cookie
       return unless protect_against_forgery? && !respond_to?(:__exclude_xsrf_token_cookie?)
 
       config = Rails.application.config
-      domain = config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
+
+      cookie_options = {
+        value: form_authenticity_token,
+        domain: config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil
+      }
+      cookie_options[:secure] = config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure)
+
       cookie_name = config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN'
-      cookies[cookie_name] = {value: form_authenticity_token, domain: domain}
+      cookies[cookie_name] = cookie_options
     end
 
     def verified_request?

diff --git a/test/angular_rails_csrf_test.rb b/test/angular_rails_csrf_test.rb
@@ -41,6 +41,23 @@ def config.angular_rails_csrf_domain
     assert @response.headers['Set-Cookie'].include?('.test.host')
     assert_valid_cookie
     assert_response :success
+  ensure
+    config.instance_eval('undef :angular_rails_csrf_domain')
+  end
+
+  test 'the secure flag is set if configured' do
+    @request.headers['HTTPS'] = 'on'
+
+    config = Rails.application.config
+    config.define_singleton_method(:angular_rails_csrf_secure) { true }
+
+    get :index
+    assert @response.headers['Set-Cookie'].include?('secure')
+    assert_valid_cookie
+    assert_response :success
+  ensure
+    @request.headers['HTTPS'] = nil
+    config.instance_eval('undef :angular_rails_csrf_secure')
   end
 
   test 'a custom name is used if present' do