My rule is no anonymous accounts. So i cannot access the plugin routes. What I would need is a way for a route to be created for this type of scenario.
For example,
# Default Rails 3.2 lets the request through with a blank session # we are being more pedantic here and nulling session / current_user # and then raising a CSRF exception def handle_unverified_request # NOTE: API key is secret, having it invalidates the need for a CSRF token unless is_api? || is_user_api? super clear_current_user render plain: "[\"BAD CSRF\"]", status: 403 end end
A way to notify during this flow or the whole flow of authentication that a controller and an action received via params (set automatically when you call a route) can bypass everything and execute the route.
I’m not fully aware of how everything works, but since there is an anonymous access option, I’m sure there is a way to do it.
This would allow for people to encrypt the payload if needed, but for generic information updating the system, it would be useful.