diff --git a/.rubocop.yml b/.rubocop.yml
index ff3f27e..bb02624 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -230,6 +230,12 @@ Metrics/ParameterLists:
 Metrics/PerceivedComplexity:
   Enabled: false
 
+Bundler/OrderedGems:
+  Enabled: false
+
+Bundler/DuplicatedGem:
+  Enabled: false
+
 Metrics/BlockLength:
   Exclude:
     - 'spec/**/*.rb'
diff --git a/Gemfile b/Gemfile
index e9c51d6..ec2f0b7 100644
--- a/Gemfile
+++ b/Gemfile
@@ -5,9 +5,15 @@ gem 'solidus', github: 'solidusio/solidus', branch: branch
 # Provides basic authentication functionality for testing parts of your engine
 gem 'solidus_auth_devise'
 
-if branch < 'v2.0'
-  gem 'rails', '~> 4.2.7'
-  gem 'rails_test_params_backport', group: :test
+if branch == 'master' || branch >= "v2.3"
+  gem 'rails', '~> 5.1.0' # HACK: broken bundler dependency resolution
+  gem "rails-controller-testing", group: :test
+elsif branch >= "v2.0"
+  gem 'rails', '~> 5.0.3' # HACK: broken bundler dependency resolution
+  gem "rails-controller-testing", group: :test
+else
+  gem "rails", '~> 4.2.0' # HACK: broken bundler dependency resolution
+  gem "rails_test_params_backport", group: :test
 end
 
 gemspec
diff --git a/app/controllers/spree/paybright_controller.rb b/app/controllers/spree/paybright_controller.rb
index 435e4ee..c2a31ec 100644
--- a/app/controllers/spree/paybright_controller.rb
+++ b/app/controllers/spree/paybright_controller.rb
@@ -1,5 +1,8 @@
 module Spree
   class PaybrightController < Spree::BaseController
+    # We can't use CSRF protection on a route that's hit by an external service
+    skip_before_action :verify_authenticity_token, only: :callback, raise: false
+
     # Server2server call that gets parameters about the results of the Paybright
     # transaction.
     def callback