basecamp · rbarbosa · Mar 16, 2026 · Mar 23, 2026
diff --git a/config/initializers/active_storage.rb b/config/initializers/active_storage.rb
@@ -52,7 +52,7 @@ module ActiveStorageDirectUploadsControllerExtensions
   included do
     include Authentication
     include Authorization
-    skip_forgery_protection if: :authenticate_by_bearer_token
+    skip_forgery_protection if: -> { authenticate_by_bearer_token || (authenticated? && request.format.json?) }
   end
 end
 

diff --git a/test/controllers/active_storage/direct_uploads_controller_test.rb b/test/controllers/active_storage/direct_uploads_controller_test.rb
@@ -34,6 +34,27 @@ class ActiveStorage::DirectUploadsControllerTest < ActionDispatch::IntegrationTe
     assert_includes response.parsed_body.keys, "direct_upload"
   end
 
+  test "create with session token" do
+    sign_in_as :david
+
+    post rails_direct_uploads_path,
+      params: @blob_params,
+      as: :json
+
+    assert_response :success
+    assert_includes response.parsed_body.keys, "direct_upload"
+  end
+
+  test "create with session token in another account is forbidden" do
+    sign_in_as :david
+
+    post rails_direct_uploads_path(script_name: "/#{ActiveRecord::FixtureSet.identify("initech")}"),
+      params: @blob_params,
+      as: :json
+
+    assert_response :forbidden
+  end
+
   test "create with read-only access token" do
     post rails_direct_uploads_path,
       params: @blob_params,