Getting rid of CSRF for now.

works without csrf
2025-08-24 14:53:34 -05:00 · 2025-08-24 12:22:00 -05:00
4 changed files with 6 additions and 7 deletions
--- a/.env.rb
+++ b/.env.rb
@ -0,0 +1,3 @@
+
+ENV["APP_SESSION_SECRET"] ||= "x3UUSSxLjgP62TOxfIOdf7dhXnOdLiN2kE0K+nB7TA0LsRTpSxhf8Om9cRUYGYQxUMhzIBeZ3KtOLo3cXlSfdg=="
+# generated with: ruby -rsecurerandom -e 'puts SecureRandom.base64(64).inspect'
--- a/app.rb
+++ b/app.rb
@ -10,11 +10,9 @@ require_relative 'models/assistant'
 # Listing large language models (aka "Assistants")
 class App < Roda
  plugin :render, escape: true
-  plugin :route_csrf
+  plugin :sessions, secret: ENV.delete('APP_SESSION_SECRET')

  route do |r|
-    check_csrf!
-
    r.root do
      @page_title = 'Assistants List'
      @subtitle = 'All Assistants in Database'
--- a/config.ru
+++ b/config.ru
@ -1,3 +1,4 @@
-require "./app"
+require './.env' if File.exist?('.env.rb')
+require './app'

 run App.freeze.app
--- a/views/edit.erb
+++ b/views/edit.erb
@ -15,9 +15,6 @@
    <input type="hidden" name="_method" value="put">
  <% end %>

-  <!-- Add CSRF token tag -->
-  <%== csrf_tag('/assistants') %>
-  
  <div class="field">
    <label class="label">Name</label>
    <div class="control">
Author	SHA1	Message	Date
James Dinkel	5c2466dfaf	Getting rid of CSRF for now.	2025-08-24 14:53:34 -05:00
James Dinkel	d91037686b	works without csrf	2025-08-24 12:22:00 -05:00