it is seems quite easy to forget to disable ‘forgery_protection’ when testing with request specs, since everything just works, the only way to notice is to verify with curl which is a little bit tedious.
I’m thinking that we should introduce one more type of spec’s, such as
public_request/ or just
ActionController::Base.allow_forgery_protection = true
Is there a rule of thumbs you’re using when TDD’ing public API’s?
Thanks in advance.