Cross-Site Forgery Protection in Rails Tests
Cross-Site Forgery Protection (also known as CSRF Protection) is a built-in feature in Rails.
However, by default this protection is switched off in test environments. This makes it easy to test controllers without having to provide a CSRF token with every request, but it can cause problems since our tests are not completely representative of real-world requests.
This is especially true for API controllers, where sessions are not used and CSRF tokens are therefore not used. This means API controllers would ususually skip the CSRF token check by doing
skip_before_action :verify_authenticity_token. However, if you forget to skip this check your tests will still pass since forgery protection is completely switched off! In order to avoid this problem I tried to see if it’s possible to configure RSpec to enable forgery protection for API tests.
Using this configuration your tests will perform the normal CSRF checks, which means you will get a 422 response unless your controllers skip the authenticity token checks. At the same time the rest of your test suite will run without forgery protection, which may or may not be the desired outcome - but it matches the existing behavior.