Class: Omniauth::Protect::Validator

Inherits:

Object

Object
Omniauth::Protect::Validator

show all

Defined in:: lib/omniauth/protect/validator.rb

Instance Method Summary collapse

#initialize(env, encoded_masked_token) ⇒ Validator constructor

A new instance of Validator.
#valid_csrf_token? ⇒ Boolean

This is mostly taken & adapted from Rails’ action_controller/metal/request_forgery_protection.rb We copy code from Rails in such a horrible manner because Rails doesn’t really expose CSRF protection.

Constructor Details

#initialize(env, encoded_masked_token) ⇒ `Validator`

Returns a new instance of Validator.

# File 'lib/omniauth/protect/validator.rb', line 6

def initialize(env, encoded_masked_token)
  @session = env['rack.session']
  @encoded_masked_token = encoded_masked_token
end

Instance Method Details

#valid_csrf_token? ⇒ `Boolean`

This is mostly taken & adapted from Rails’ action_controller/metal/request_forgery_protection.rb We copy code from Rails in such a horrible manner because Rails doesn’t really expose CSRF protection

Returns:

(Boolean)

# File 'lib/omniauth/protect/validator.rb', line 13

def valid_csrf_token?
  begin
    masked_token = Base64.urlsafe_decode64(@encoded_masked_token)
  rescue ArgumentError # @encoded_masked_token is invalid Base64
    return false
  end

  token_length = ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH

  if masked_token.length == token_length * 2
    csrf_token = unmask_token(masked_token, token_length)

    real_token = real_csrf_token(token_length)
    global_token = global_csrf_token(real_token)

    compare_tokens(csrf_token, real_token) || compare_tokens(csrf_token, global_token)
  end
end