add exception to protect_from_forgery method and add skip verify_auth…

[GAKINDUSTRIES]

Modify the way csrf requests are handled

Trello board reference:

• Trello Card #ENHACEMENT

---

Description:

• This PR intends to modify the way CSRF token is being handled for API's. I have been researching about this topic, and some argued that CSRF token should be set to null if is being used with API. Other ones argued that this modification is the correct way to handle CSRF token for API. This modification intends to ensure that the request fails to execute and trunk the workflow.

---

Reviewers:

• @MaicolBen
• @matiasmansilla1989
• @jiv

---

Notes:

• I attach some of the documents I read in order to lean for this approach:

• https://nvisium.com/blog/2014/09/10/understanding-protectfromforgery/

• https://mathieu.fenniak.net/is-your-web-api-susceptible-to-a-csrf-exploit/

• http://stackoverflow.com/questions/10167956/rails-shows-warning-cant-verify-csrf-token-authenticity-from-a-restkit-post

• http://stackoverflow.com/questions/20745843/is-this-rails-json-authentication-api-using-devise-secure

• Q: What is the simple_token_authentication configuration for an api? gonzalo-bulnes/simple_token_authentication#67

• http://jamescpoole.com/2013/10/31/rails-4-csrf-protection-with-clients-using-apis/

---

Tasks:

• Change protect_from_forgery from null_session to exception in all API controllers

• Add skip for verify_authenticity_token if the request format is json

---

Risk:

• Medium

---

[matiasmansilla1989]

@GAKINDUSTRIES Great Job!

[MaicolBen]

Can't you use a concern to avoid repeated code?