Fix password sign-in bug caused by Rails 5 upgrade

Previously, if you tried to sign in with a password, the request would succeed but you wouldn't get an authenticated session. The fix is to ensure `protect_from_forgery` is called as early as possible, because otherwise if anything devisey (like `authenticate_user` or even just `current_user`) calls `warden.authenticate` first, the CSRF token validation will fail, invalidating your session. In Rails 4.2, regardless of where `protect_from_forgery` was called, it would cause `verify_authenticity_token` to run before all other `before_action`s. Moving #protect_with_forgery to the beginning of ApplicationController restores the Rails 4.2 behavior and ensures the CSRF token validates. Fixes railsbridge#530
arangn · Mar 10, 2017 · 6131562 · 6131562
1 parent 5bf3f6c
commit 6131562
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,4 +1,6 @@
 class ApplicationController < ActionController::Base
+  protect_from_forgery
+
   include Pundit
   rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
   after_action :verify_authorized, unless: :devise_controller?
@@ -12,8 +14,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  protect_from_forgery
-
   rescue_from(ActionView::MissingTemplate) do |e|
     if request.format != :html
       head(:not_acceptable)