Remove form_authenticity_token method (#371)

willnet · web-flow · commit 0b3e8312d092 · 2024-04-19T00:29:11.000Z
* Remove form_authenticity_token method Fix #330 As detailed in the URL below, the call to `form_authenticity_token` wasn't useful and was causing issues like #330, so remove it. ref: - #357 (comment) - #357 (comment) * Update CHANGELOG with removal of form_authenticity_token method
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # Changelog
 ## HEAD
+
+* Remove form_authenticity_token method [#371](https://github.com/Sorcery/sorcery/pull/371)
 * Remove legacy Rails version conditionals [#370](https://github.com/Sorcery/sorcery/pull/370)
 * Bump up required ruby version to 3.0.0 [#369](https://github.com/Sorcery/sorcery/pull/369)
 
diff --git a/lib/sorcery/controller.rb b/lib/sorcery/controller.rb
@@ -54,7 +54,6 @@ def login(*credentials)
           old_session.each_pair do |k, v|
             session[k.to_sym] = v
           end
-          form_authenticity_token
 
           auto_login(user, credentials[2])
           after_login!(user, credentials)
diff --git a/spec/controllers/controller_spec.rb b/spec/controllers/controller_spec.rb
@@ -63,16 +63,6 @@
         it 'writes user id in session' do
           expect(session[:user_id]).to eq user.id.to_s
         end
-
-        # NOTE: The lack of a CSRF token may mean that sessions will break
-        #       horribly for Sorcery when using Rails 7.1+. We shall see.
-        it 'sets csrf token in session' do
-          if Gem::Version.new(Rails.version) >= Gem::Version.new('7.1')
-            pending 'Rails 7.1 is not including the csrf token in the session for unknown reasons'
-          end
-
-          expect(session[:_csrf_token]).not_to be_nil
-        end
       end
 
       context 'when fails' do
