How to allow either a) HTTP auth without CSRF token + SSL or b)require CSRF token with devise?

Question

I have a Rails 3 app configured with user registration using devise running on a server. I am allowing people to login to the server through the website and also allowing people to create accounts and login using an Iphone App.

When people are using the Iphone app, I'd like to support these two actions:

a) Signup for account without CSRF (does this cause any security issues)?

b) Log in with http auth secured by SSL

c) Any POST requests to the server after logging in to be secured with http auth with SSL.

When the user is on the website, I want to require CSRF tokens on all actions (so that the user does not type username and password each time).

Thank you for your help.

Answer 1

You can selectively disable the CSRF token on a controller or individual action methods.

class StatsController < ApplicationController
  skip_before_filter :verify_authenticity_token
  ...
end

I'm actually looking to do something similar, I'll have the iPhone use a different domain name and selectively disable the :verify_authenticity_token filter based on a couple of conditions. This is only to hold us over until we can get our OAUTH2 implementation up and running.