Class: Rack::Csrf

Inherits:

Object

• Object
• Rack::Csrf

Defined in:

lib/rack/csrf.rb,
lib/rack/csrf/version.rb

Defined Under Namespace

Classes: InvalidCsrfToken, SessionUnavailable

Constant Summary

VERSION =

'2.5.0'

@@field =

'_csrf'

@@header =

'X_CSRF_TOKEN'

@@key =

'csrf.token'

Class Method Summary

• .field ⇒ Object (also: csrf_field)
• .header ⇒ Object (also: csrf_header)
• .key ⇒ Object (also: csrf_key)
• .metatag(env, options = {}) ⇒ Object (also: csrf_metatag)
• .tag(env) ⇒ Object (also: csrf_tag)
• .token(env) ⇒ Object (also: csrf_token)

Instance Method Summary

• #call(env) ⇒ Object
• #initialize(app, opts = {}) ⇒ Csrf constructor

  A new instance of Csrf.

Constructor Details

#initialize(app, opts = {}) ⇒ Csrf

Returns a new instance of Csrf.

# File 'lib/rack/csrf.rb', line 13

def initialize(app, opts = {})
  @app = app

  @raisable        = opts[:raise] || false
  @skip_list       = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
  @skip_if         = opts[:skip_if] if opts[:skip_if]
  @check_only_list = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
  @@field          = opts[:field] if opts[:field]
  @@header         = opts[:header] if opts[:header]
  @@key            = opts[:key] if opts[:key]

  standard_http_methods = %w(POST PUT DELETE PATCH)
  check_also            = opts[:check_also] || []
  @http_methods = (standard_http_methods + check_also).flatten.uniq
end

Class Method Details

.field ⇒ Object Also known as: csrf_field

# File 'lib/rack/csrf.rb', line 50

def self.field
  @@field
end

.header ⇒ Object Also known as: csrf_header

# File 'lib/rack/csrf.rb', line 54

def self.header
  @@header
end

.key ⇒ Object Also known as: csrf_key

# File 'lib/rack/csrf.rb', line 46

def self.key
  @@key
end

.metatag(env, options = {}) ⇒ Object Also known as: csrf_metatag

# File 'lib/rack/csrf.rb', line 66

def self.metatag(env, options = {})
  name = options.delete(:name) || '_csrf'
  %Q(<meta name="#{name}" content="#{token(env)}" />)
end

.tag(env) ⇒ Object Also known as: csrf_tag

# File 'lib/rack/csrf.rb', line 62

def self.tag(env)
  %Q(<input type="hidden" name="#{field}" value="#{token(env)}" />)
end

.token(env) ⇒ Object Also known as: csrf_token

# File 'lib/rack/csrf.rb', line 58

def self.token(env)
  env['rack.session'][key] ||= SecureRandom.base64(32)
end

Instance Method Details

#call(env) ⇒ Object

# File 'lib/rack/csrf.rb', line 29

def call(env)
  unless env['rack.session']
    raise SessionUnavailable.new('Rack::Csrf depends on session middleware')
  end
  req = Rack::Request.new(env)
  untouchable = skip_checking(req) ||
    !@http_methods.include?(req.request_method) ||
    req.params[self.class.field] == self.class.token(env) ||
    req.env[self.class.rackified_header] == self.class.token(env)
  if untouchable
    @app.call(env)
  else
    raise InvalidCsrfToken if @raisable
    [403, {'Content-Type' => 'text/html', 'Content-Length' => '0'}, []]
  end
end