Running ruby 1.9.3 and Rails 3.2.8. I feel like I’m not fully understanding how CSRF works.
I have
protect_from_forgeryin my ApplicationController.
So, now should all non-GET requests require an authentication token?
Yes (unless you explicitly skip the before filter that does that verification)
Specifically, I have a
destroymethod that doesn’t seem to care if a token is present or not. (I can submit a curl request in terminal, and it doesn’t balk.)
What happens? The default action when the token is missing or invalid is to reset the session (to clear your credentials. there is also a hook for libraries like devise to zap their credential storage) and then continue processing the request. Given that CSRF is about using a users credentials without them knowing it, then if the action didn’t require authentication in the first place it is considered ok. You can overwrite the handle_unverified_request if you want to change this (for example you could restore the rails 2.x behaviour which was to raise an exception)
Does being in development have something to do with it
No
Fred