I am implementing the code in this faye pub/sub tutorial(http://faye.jcoglan.com/security/csrf.html) – go to the example rails section to see the code I am talking about.
This code always seems to produce an error because the authenticity token in the html of the site, is different from the stored csrf_token in rails.
After inspecting this, I realized that the rails actually encrypts and decrypts tokens, and so to properly compare the authenticity token with the csrf_token in session, one has to first decrypt it.
There should be a rails method that allows you to manually compare the csrf_token with the authenticity token so one can secure pub/sub channels (and to my knowledge, publishing to a pub/sub channel doesn’t go through a rails action, and so one can’t use the protect_from_forgery thing).
Thoughts on this? What is the way to protect the pub/sub channel from csrf protection?