| Module | ActionController::RequestForgeryProtection |
| In: |
vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb
|
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6
6: def self.included(base)
7: base.class_eval do
8: class_inheritable_accessor :request_forgery_protection_options
9: self.request_forgery_protection_options = {}
10: helper_method :form_authenticity_token
11: helper_method :protect_against_forgery?
12: end
13: base.extend(ClassMethods)
14: end
No secret was given, so assume this is a cookie session store.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 139
139: def authenticity_token_from_cookie_session
140: session[:csrf_id] ||= CGI::Session.generate_unique_id
141: session.dbman.generate_digest(session[:csrf_id])
142: end
Generates a unique digest using the session_id and the CSRF secret.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 128
128: def authenticity_token_from_session_id
129: key = if request_forgery_protection_options[:secret].respond_to?(:call)
130: request_forgery_protection_options[:secret].call(@session)
131: else
132: request_forgery_protection_options[:secret]
133: end
134: digest = request_forgery_protection_options[:digest] ||= 'SHA1'
135: OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
136: end
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 105
105: def form_authenticity_param
106: params[request_forgery_protection_token]
107: end
Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 115
115: def form_authenticity_token
116: @form_authenticity_token ||= if !session.respond_to?(:session_id)
117: raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session."
118: elsif request_forgery_protection_options[:secret]
119: authenticity_token_from_session_id
120: elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
121: authenticity_token_from_cookie_session
122: else
123: raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)."
124: end
125: end
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 89
89: def handle_unverified_request
90: reset_session
91: end
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 144
144: def protect_against_forgery?
145: allow_forgery_protection && request_forgery_protection_token
146: end
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 109
109: def verifiable_request_format?
110: request.content_type.nil? || request.content_type.verify_request?
111: end
Returns true or false if a request is verified. Checks:
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 98
98: def verified_request?
99: !protect_against_forgery? ||
100: request.get? ||
101: form_authenticity_token == form_authenticity_param ||
102: form_authenticity_token == request.headers['X-CSRF-Token']
103: end