Class: Rack::Csrf
- Inherits:
-
Object
show all
- Defined in:
- lib/rack/csrf.rb,
lib/rack/csrf/version.rb
Defined Under Namespace
Classes: InvalidCsrfToken, SessionUnavailable
Constant Summary
collapse
- VERSION =
'2.5.0'
- @@field =
'_csrf'
'X_CSRF_TOKEN'
- @@key =
'csrf.token'
Class Method Summary
collapse
Instance Method Summary
collapse
Constructor Details
#initialize(app, opts = {}) ⇒ Csrf
Returns a new instance of Csrf.
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
# File 'lib/rack/csrf.rb', line 13
def initialize(app, opts = {})
@app = app
@raisable = opts[:raise] || false
@skip_list = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
@skip_if = opts[:skip_if] if opts[:skip_if]
@check_only_list = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
@@field = opts[:field] if opts[:field]
@@header = opts[:header] if opts[:header]
@@key = opts[:key] if opts[:key]
standard_http_methods = %w(POST PUT DELETE PATCH)
check_also = opts[:check_also] || []
@http_methods = (standard_http_methods + check_also).flatten.uniq
end
|
Class Method Details
.field ⇒ Object
Also known as:
csrf_field
50
51
52
|
# File 'lib/rack/csrf.rb', line 50
def self.field
@@field
end
|
54
55
56
|
# File 'lib/rack/csrf.rb', line 54
def self.
@@header
end
|
.key ⇒ Object
Also known as:
csrf_key
46
47
48
|
# File 'lib/rack/csrf.rb', line 46
def self.key
@@key
end
|
66
67
68
69
|
# File 'lib/rack/csrf.rb', line 66
def self.metatag(env, options = {})
name = options.delete(:name) || '_csrf'
%Q(<meta name="#{name}" content="#{token(env)}" />)
end
|
.tag(env) ⇒ Object
Also known as:
csrf_tag
62
63
64
|
# File 'lib/rack/csrf.rb', line 62
def self.tag(env)
%Q(<input type="hidden" name="#{field}" value="#{token(env)}" />)
end
|
.token(env) ⇒ Object
Also known as:
csrf_token
58
59
60
|
# File 'lib/rack/csrf.rb', line 58
def self.token(env)
env['rack.session'][key] ||= SecureRandom.base64(32)
end
|
Instance Method Details
#call(env) ⇒ Object
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
# File 'lib/rack/csrf.rb', line 29
def call(env)
unless env['rack.session']
raise SessionUnavailable.new('Rack::Csrf depends on session middleware')
end
req = Rack::Request.new(env)
untouchable = skip_checking(req) ||
!@http_methods.include?(req.request_method) ||
req.params[self.class.field] == self.class.token(env) ||
req.env[self.class.] == self.class.token(env)
if untouchable
@app.call(env)
else
raise InvalidCsrfToken if @raisable
[403, {'Content-Type' => 'text/html', 'Content-Length' => '0'}, []]
end
end
|