My rule is no anonymous accounts. So i cannot access the plugin routes. What I would need is a way for a route to be created for this type of scenario.
# Default Rails 3.2 lets the request through with a blank session
# we are being more pedantic here and nulling session / current_user
# and then raising a CSRF exception
# NOTE: API key is secret, having it invalidates the need for a CSRF token
unless is_api? || is_user_api?
render plain: "[\"BAD CSRF\"]", status: 403
A way to notify during this flow or the whole flow of authentication that a controller and an action received via params (set automatically when you call a route) can bypass everything and execute the route.
I’m not fully aware of how everything works, but since there is an anonymous access option, I’m sure there is a way to do it.
This would allow for people to encrypt the payload if needed, but for generic information updating the system, it would be useful.