Allowed Routes
crisward opened this issue · 1 comments
crisward commented
I need to allow specific routes to skip past a csrf check. This is for callbacks from a payment gateway.
I plan to add an allowed_routes
array to the config object. What do you think?
eg.
add_handler CSRF.new(
header: "X_CSRF_TOKEN",
allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
parameter_name: "_csrf",
error: "CSRF Error",
allowed_routes: ["/api/confirm_payment"]
)
If there is already a way to do this I'm not away of I'd be happy to hear it. Thanks.
sdogruyol commented
This is definitely needed 👍