feat: opt-in CSRF protection for dashboard actions#40
Conversation
Add `config.csrf_protection_enabled` (default false) so hosts with a session store can enable Rails' CSRF protection for the dashboard's destructive POST actions, on par with Sidekiq::Web. When enabled, `verify_authenticity_token` is no longer skipped, all forms embed an authenticity token via the `csrf_token_field` helper, and the layout renders `csrf_meta_tags`. Disabled by default to keep working in session-less / API-only hosts.
|
Hi @vishaltps 👋 Whenever you get a chance, I'd love a review on this PR. |
vishaltps
left a comment
vishaltps
left a comment
There was a problem hiding this comment.
Nice work on this, tested it locally against a session-backed app and the opt-in flow behaves exactly as described. 👍
One small, purely cosmetic note: the two helpers are both conditional on csrf_protection_enabled, but only one carries the _if_enabled suffix- csrf_meta_tags_if_enabled vs csrf_token_field. Would be nice to unify the naming so the pair reads consistently. Either direction works:
- drop the suffix →
csrf_meta_tags_if_enabledbecomescsrf_meta_tags(but that would shadow Rails' built-in helper, so probably not this one), or - keep both explicit → e.g.
csrf_token_field→csrf_token_field_if_enabled.
Given the shadowing concern, leaning toward making both explicit feels cleanest. Totally non-blocking - just a readability nit.
…naming consistency
|
@vishaltps Thanks for the review! |
|
This shipped in v2.2.0 🎉
Thanks for the thoughtful contribution, @TakuroOnoda the opt-in design and the attention to the trickier edges (the cross-origin asset guard and preserving the token through the bulk submit) made this a clean one to merge. Users can enable it with config.csrf_protection_enabled = true. 🙏 |
2 participants
Summary
Adds opt-in CSRF protection for the dashboard's destructive
POSTactions (retry / discard / pause / resume / execute / reject / remove / prune), gated behind a newcsrf_protection_enabledconfig (defaultfalse).Why opt-in (default off)
The gem renders raw HTML forms and doesn't assume a session store (it supports API-only apps).
Rails' CSRF tokens require a session, so enabling it by default would break session-less hosts.
Off by default = fully backward compatible.
Changes
SolidQueueMonitor.csrf_protection_enabled(defaultfalse).skip_before_action :verify_authenticity_tokenis now skipped only when protection is disabled. When enabled, unverified POSTs return422; safe methods pass through.csrf_token_fieldhelper; the layout addscsrf_meta_tags. Both render nothing when disabled.Enable
Requires a session store, same-origin mount, and a non-
api_onlyapp.Thanks for building and maintaining such a clean, lightweight gem.
I've tried to keep this change minimal and fully backward compatible.
Hope it's a useful addition, and I'd love to hear your thoughts. 🙂