Address review: use resume_session and add forgery protection test

Use resume_session instead of authenticated? in the skip_forgery_protection
condition so the session is established before the forgery check runs,
regardless of callback ordering.

Add a test with forgery protection explicitly enabled to prove the CSRF
bypass works in production, not just in test mode where CSRF is disabled
by default.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 2 people

config/initializers/active_storage.rb

@@ -52,7 +52,7 @@ module ActiveStorageDirectUploadsControllerExtensions
   included do
     include Authentication
     include Authorization
-    skip_forgery_protection if: -> { authenticate_by_bearer_token || (authenticated? && request.format.json?) }
+    skip_forgery_protection if: -> { authenticate_by_bearer_token || (resume_session && request.format.json?) }
   end
 end
 

test/controllers/active_storage/direct_uploads_controller_test.rb

@@ -45,6 +45,19 @@ class ActiveStorage::DirectUploadsControllerTest < ActionDispatch::IntegrationTe
     assert_includes response.parsed_body.keys, "direct_upload"
   end
 
+  test "create with session token skips forgery protection" do
+    sign_in_as :david
+
+    with_forgery_protection do
+      post rails_direct_uploads_path,
+        params: @blob_params,
+        as: :json
+
+      assert_response :success
+      assert_includes response.parsed_body.keys, "direct_upload"
+    end
+  end
+
   test "create with session token in another account is forbidden" do
     sign_in_as :david
 
@@ -104,4 +117,12 @@ class ActiveStorage::DirectUploadsControllerTest < ActionDispatch::IntegrationTe
     def bearer_token_header(token)
       { "Authorization" => "Bearer #{token}" }
     end
+
+    def with_forgery_protection
+      original = ActionController::Base.allow_forgery_protection
+      ActionController::Base.allow_forgery_protection = true
+      yield
+    ensure
+      ActionController::Base.allow_forgery_protection = original
+    end
 end