Remove CSRF check - doesn't work properly as implemented, but connect request should probably be changed to POST

2026-02-27 01:43:22 +00:00 · 2016-10-01 10:31:49 +01:00
parent eed11faa62
commit 758f57a889
2 changed files with 12 additions and 21 deletions
--- a/app/controllers/admin/enterprises_controller.rb
+++ b/app/controllers/admin/enterprises_controller.rb
@@ -115,31 +115,26 @@ module Admin
    end

    def stripe_connect
-      redirect_to authorize_stripe(params[:enterprise_id], csrf: form_authenticity_token)
+      redirect_to authorize_stripe(params[:enterprise_id])
    end

    def stripe_connect_callback
      if params["code"]
        state = JSON.parse(params["state"].gsub("=>",":"))
-        # Check csrf
-        if state["csrf"] != form_authenticity_token
-          redirect_to '/unauthorized'
-        else
-          # Get the Enterprise
-          @enterprise = Enterprise.find_by_permalink(state["enterprise_id"])
+        # Get the Enterprise
+        @enterprise = Enterprise.find_by_permalink(state["enterprise_id"])

-          # Get the deets from Stripe
-          response_params = get_stripe_token(params["code"]).params
+        # Get the deets from Stripe
+        response_params = get_stripe_token(params["code"]).params

-          stripe_account = StripeAccount.new(stripe_user_id: response_params["stripe_user_id"], stripe_publishable_key: response_params["stripe_publishable_key"], enterprise: @enterprise)
-          if stripe_account.save
-            respond_to do |format|
-              format.html { redirect_to main_app.edit_admin_enterprise_path(@enterprise), notice: "Stripe account connected successfully."}
-              format.json { render json: stripe_account }
-            end
-          else
-            render text: "Failed to save Stripe token", status: 500
+        stripe_account = StripeAccount.new(stripe_user_id: response_params["stripe_user_id"], stripe_publishable_key: response_params["stripe_publishable_key"], enterprise: @enterprise)
+        if stripe_account.save
+          respond_to do |format|
+            format.html { redirect_to main_app.edit_admin_enterprise_path(@enterprise), notice: "Stripe account connected successfully."}
+            format.json { render json: stripe_account }
          end
+        else
+          render text: "Failed to save Stripe token", status: 500
        end
      else
        render text: params["error_description"], status: 500
--- a/spec/features/admin/stripe_connect_spec.rb
+++ b/spec/features/admin/stripe_connect_spec.rb
@@ -6,8 +6,4 @@ feature "Connecting a Stripe Account" do
  before(:each) { login_to_admin_section }
  let!(:enterprise) { create :enterprise }

-  scenario "Passing an invalid CSRF token" do
-    visit "/stripe/callback?state=%7B%22csrf%22%3D%3E%22ByQF3~~~nonsense~~~4hwwmhAek4u4AEo0%3D%22%2C+%22enterprise_id%22%3D%3E%22#{enterprise.permalink}%22%7D&scope=read_only&code=ac_9HJF2pynjz5vlRWGXtpnGvL3yT9y01DY"
-    page.should have_content "Unauthorized" 
-  end
 end