Disable CSRF Protection

scalableinternetservices · Dec 10, 2024 · 4abe43d · 4abe43d
1 parent 0781863
commit 4abe43d
Show file tree

Hide file tree

Showing 9 changed files with 129 additions and 0 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,4 +1,5 @@
 class ApplicationController < ActionController::Base
+  skip_forgery_protection
   skip_before_action :verify_authenticity_token
 
   private

diff --git a/app/controllers/chat_messages_controller.rb b/app/controllers/chat_messages_controller.rb
@@ -1,4 +1,5 @@
 class ChatMessagesController < ApplicationController
+  skip_forgery_protection
   before_action :require_login
   before_action :set_chat_room
   before_action :check_membership

diff --git a/app/controllers/chat_rooms_controller.rb b/app/controllers/chat_rooms_controller.rb
@@ -1,4 +1,5 @@
 class ChatRoomsController < ApplicationController
+  skip_forgery_protection
   before_action :require_login
   before_action :set_chat_room, only: [:show]
   before_action :check_membership, only: [:show]

diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
@@ -1,4 +1,5 @@
 class CommentsController < ApplicationController
+  skip_forgery_protection
   before_action :require_login, only: [:update, :destroy]
   before_action :set_post
   before_action :set_comment, only: [:update, :destroy]

diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
@@ -1,4 +1,5 @@
 class PostsController < ApplicationController
+  skip_forgery_protection
   before_action :require_login, only: [:update, :destroy, :like, :unlike]
   before_action :set_post, only: [:show, :update, :destroy, :like, :unlike]
   before_action :check_ownership, only: [:update, :destroy]

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -1,4 +1,5 @@
 class SessionsController < ApplicationController
+  skip_forgery_protection
   def create
     user = User.find_by(username: params[:username])
     if user && user.authenticate(params[:password])

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -1,4 +1,5 @@
 class UsersController < ApplicationController
+  skip_forgery_protection
   before_action :require_login, only: [:potential_chat_members]
 
   def index

diff --git a/tsung_scripts/tsung_auth_login.xml b/tsung_scripts/tsung_auth_login.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0"?>
+<!DOCTYPE tsung SYSTEM "/usr/local/share/tsung/tsung-1.0.dtd" [] >
+<tsung loglevel="notice">
+  <clients>
+    <client host="localhost" maxusers="32768" use_controller_vm="true" />
+  </clients>
+
+  <servers>
+    <server host="ziqi.eba-wqi6mj7g.us-west-2.elasticbeanstalk.com" port="80" type="tcp" />
+  </servers>
+
+  <load>
+    <!-- Phase 1 -->
+    <arrivalphase phase="1" duration="20" unit="second">
+      <users arrivalrate="1" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 2 -->
+    <arrivalphase phase="2" duration="20" unit="second">
+      <users arrivalrate="4" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 3 -->
+    <arrivalphase phase="3" duration="20" unit="second">
+      <users arrivalrate="8" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 4 -->
+    <arrivalphase phase="4" duration="60" unit="second">
+      <users arrivalrate="16" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 5 -->
+    <arrivalphase phase="5" duration="60" unit="second">
+      <users arrivalrate="64" unit="second"></users>
+    </arrivalphase>
+    <arrivalphase phase="6" duration="60" unit="second">
+      <users arrivalrate="128" unit="second"></users>
+    </arrivalphase>
+  </load>
+
+  <options>
+    <!-- Set connection timeout to 2 seconds -->
+    <option name="global_ack_timeout" value="2000"></option>
+  </options>
+
+  <sessions>
+    <session name="register-login-logout" type="ts_http" weight="1">
+      <setdynvars sourcetype="random_string" length="20">
+        <var name="rand_str1" />
+      </setdynvars>
+
+      <request>
+        <dyn_variable name="user_id" jsonpath="$.user.id"/>
+        <http url="/api/signup" method="POST" version="1.1" contents="username=user_%%_rand_str1%%;password=w12345678;password_confirmation=w12345678;"></http>
+      </request>
+      <thinktime value="2" random="true"></thinktime>
+
+      <request><http url="/api/login" method="POST" version="1.1" contents="username=user_%%_rand_str%%;password=w12345678;"></http></request>
+      <thinktime value="2" random="true"></thinktime>
+
+      <request><http url="/api/logout" method="DELETE" version="1.1" contents="user_id=%%_user_id%%"></http></request>
+    </session>
+  </sessions>
+</tsung>
diff --git a/tsung_scripts/tsung_unauth.xml b/tsung_scripts/tsung_unauth.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0"?>
+<!DOCTYPE tsung SYSTEM "/usr/local/share/tsung/tsung-1.0.dtd" [] >
+<tsung loglevel="notice">
+  <clients>
+    <client host="localhost" maxusers="32768" use_controller_vm="true" />
+  </clients>
+
+  <servers>
+    <server host="ziqi.eba-wqi6mj7g.us-west-2.elasticbeanstalk.com" port="80" type="tcp" />
+  </servers>
+
+  <load>
+    <!-- Phase 1 -->
+    <arrivalphase phase="1" duration="20" unit="second">
+      <users arrivalrate="1" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 2 -->
+    <arrivalphase phase="2" duration="20" unit="second">
+      <users arrivalrate="4" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 3 -->
+    <arrivalphase phase="3" duration="20" unit="second">
+      <users arrivalrate="8" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 4 -->
+    <arrivalphase phase="4" duration="60" unit="second">
+      <users arrivalrate="16" unit="second"></users>
+    </arrivalphase>
+    <!-- Phase 5 -->
+    <arrivalphase phase="5" duration="60" unit="second">
+      <users arrivalrate="64" unit="second"></users>
+    </arrivalphase>
+    <arrivalphase phase="6" duration="60" unit="second">
+      <users arrivalrate="128" unit="second"></users>
+    </arrivalphase>
+  </load>
+
+  <options>
+    <!-- Set connection timeout to 2 seconds -->
+    <option name="global_ack_timeout" value="2000"></option>
+  </options>
+
+  <sessions>
+    <session name="register-login-logout" type="ts_http" weight="1">
+      <setdynvars sourcetype="random_string" length="13">
+        <var name="rand_str1" />
+      </setdynvars>
+
+      <request>
+        <dyn_variable name="user_id" jsonpath="$.user.id"/>
+        <http url="/api/signup" method="POST" version="1.1" contents="username=user_%%_rand_str1%%;password=w12345678;password_confirmation=w12345678;"></http>
+      </request>
+      <thinktime value="2" random="true"></thinktime>
+
+      <request><http url="/api/posts" method="POST" version="1.1" contents="content=unauth_%%_rand_str%%"></http></request>
+      <thinktime value="2" random="true"></thinktime>
+
+      <request><http url="/api/logout" method="DELETE" version="1.1" contents="user_id=%%_user_id%%"></http></request>
+    </session>
+  </sessions>
+</tsung>