From bf69c3fb619a5c532990f43fc1a1f2eefe90141e Mon Sep 17 00:00:00 2001 From: Jean-Gregoire Kherian Date: Fri, 13 Dec 2024 09:35:28 +0000 Subject: [PATCH] Implement review fixes. Fix links. --- ruby_on_rails/forms_and_authentication/form_basics.md | 7 +++---- ruby_on_rails/forms_and_authentication/project_forms.md | 9 +++------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/ruby_on_rails/forms_and_authentication/form_basics.md b/ruby_on_rails/forms_and_authentication/form_basics.md index cc65673eba..b0c753f604 100644 --- a/ruby_on_rails/forms_and_authentication/form_basics.md +++ b/ruby_on_rails/forms_and_authentication/form_basics.md @@ -47,7 +47,7 @@ The first line tells us which HTTP method was used and which route the form went You'll find yourself looking at this server output a lot when you start building forms. It'll keep you sane because it tells you exactly what the browser sent back to your application so you can see if there's been a... misunderstanding. -### Railsifying your form - Making forms input into params +### Railsifying your form by making forms input into params Each one of these inputs is structured slightly differently, but there are some commonalities. One important thing to note is the `name` attribute that you can give to an input tag. In Rails, that's very important. The `name` attribute tells Rails what it should call the stuff you entered in that input field when it creates the `params` hash. For instance, @@ -276,9 +276,8 @@ At this point, you should have a solid understanding of how forms work in genera The following questions are an opportunity to reflect on key topics in this lesson. If you can't answer a question, click on it to review the material, but keep in mind you are not expected to memorize or master this knowledge. -- [What is a CSRF Token and why is it necessary?](#railsifying-your-form) -- [What is the `name` attribute of a form input element and what does it do?](#making-forms-into-params) -- [How do you nest attributes under a single hash in `params`?](#making-forms-into-params) +- [What is the `name` attribute of a form input element and what does it do?](#railsifying-your-form-by-making-forms-input-into-params) +- [How do you nest attributes under a single hash in `params`?](#railsifying-your-form-by-making-forms-input-into-params) - [How do you pass `form_with` a model object?](#using-models-with-the-form_with-helper) - [How do you access errors for a failed-to-save model object?](#forms-and-validations) - [How do Rails forms make PATCH or DELETE requests?](#making-patch-and-delete-submissions) diff --git a/ruby_on_rails/forms_and_authentication/project_forms.md b/ruby_on_rails/forms_and_authentication/project_forms.md index 9d606a93ac..b3da3f0e96 100644 --- a/ruby_on_rails/forms_and_authentication/project_forms.md +++ b/ruby_on_rails/forms_and_authentication/project_forms.md @@ -34,8 +34,7 @@ The first form you build will be mostly HTML (remember that stuff at all?). Bui 1. Create the proper input tags for your user's fields (email, username and password). Use the proper password input for "password". Be sure to specify the `name` attribute for these inputs. Make label tags which correspond to each field. -1. CSRF Safety: -From Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a small detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. +1. For CSRF safety with Rails 7, Turbo is enabled by default in new apps. Turbo intercepts form submission and makes a partial XHR request instead of a standard HTTP request with full page reload. To get a better grasp of Rails protection against [cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery), let's take a short detour and disable Turbo for this form by setting the data attribute `data-turbo=false`. In the dev tools network tab, compare the request type with and without the `data-turbo=false` attribute to confirm it works as expected. 1. Submit your form and view the server output. The request should be intercepted before reaching your controller and the server will throw a CSRF error `ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.)`. @@ -117,11 +116,9 @@ Above, we asked to disable Turbo for the sake of the exercise. 1. Re-enable form submission with Turbo by removing the `data-turbo=false` attribute on the form tag, then also remove the hidden input with CSRF token tag and submit. - No more CSRF error!?! - The from is now submitted with Turbo, yet Rails still protects you by verifying a CSRF token. Where does this token comes from? + No more CSRF error?! -1. Check your inspector and your `application.html.erb` template. See a CSRF token that s always available? -Remove this one too from `application.html.erb`, and verify that the server hits back with a CSRF error. +1. The from is now submitted with Turbo, yet Rails still protects you by verifying a CSRF token. Where does this token comes from? Check your inspector and your `application.html.erb` template. Can you find a CSRF token that is always available? Remove this one too from `application.html.erb`, and verify that the server hits back with a CSRF error. 1. Reinstate the CSRF token tag in both places and carry on.