Add module for allowing requests from Labs domain

f0740218 · smayer · 128c86ed · f0740218 · f0740218 · f0740218
Commit f0740218 authored 2 years ago by smayer
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
 class ApplicationController < ActionController::Base
  include Authentication
+  include AddProxyRequestOrigin

  def send_file
    File.open("tmp/#{params[:filename]}", "r") do |f|

--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -76,6 +76,4 @@ Rails.application.configure do
  # Allow Action Cable access from any origin.
  config.action_cable.url = ENV['NEP_CABLE_URL'] || 'http://127.0.0.1:3000/cable'
  config.action_cable.allowed_request_origins = [ENV['NEP_LABS_DOMAIN'], 'http://127.0.0.1:8001']
-  # Allow XHR/Ajax requests from different origin
-  config.action_controller.forgery_protection_origin_check = false
 end
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
+# Allow requests from Labs domain
+module AddProxyRequestOrigin
+  extend ActionController::RequestForgeryProtection
+
+  allowed_request_origins = [ENV['NEP_LABS_DOMAIN'], 'http://127.0.0.1:8001']
+
+  def valid_request_origin? # :doc:
+    if forgery_protection_origin_check
+      # We accept blank origin headers because some user agents don't send it.
+      raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
+      request.origin.nil? || request.origin == request.base_url || request.origin in allowed_request_origins
+    else
+      true
+    end
+  end
+end