I use REST and OAuth to talk to a Rails application (from an iPhone application, but this should not be relevant). However, I am facing some issues with CSRF Rails protection (via protects_from_forgery).
I understand that CSRF protection only works for regular form submissions (i.e. Content-Type = application / x-www-form-urlencoded), so it would be great if I sent JSON or XML data. Unfortunately, OAuth is currently limited to / x -www-form-urlencoded application requests. There's a draft specification that extends OAuth to data other than form, and now that doesn't help me now.
As I see it, I have the following options:
Send the data as JSON, knowing that it will not be part of the OAuth signature and will thus be subject to man-in-the-middle attacks. Obviously, this is not an attractive solution.
Create custom Rails actions (e.g. UsersController#update_oauth) that internally delegate regular actions (e.g. UsersController#update). Then exclude them from fake protection ( protects_from_forgery :only => [:update]). This should work and may be acceptable at the border for one or two actions, but obviously it will be a very dirty decision.
Cancel RSR CSRF protection to ignore OAuth requests. I have not tried this, but it seems that one of the hooks (possibly a filter verify_authenticity_token) could be changed to consider OAuth requests successful.
Has anyone come across this before? Any recommendations? Or am I perhaps missing something basic?