Class: TokenBox

Inherits:

Object

• Object
• TokenBox

Defined in:

lib/pasaporte/token_box.rb

Overview

A simple but effective CSRF protector

Defined Under Namespace

Classes: Invalid, Token

Constant Summary

CHARS =

[*'A'..'Z'] + [*'0'..'9'] + [*'a'..'z']

WINDOW =

Gone in 60 seconds

10.minutes

Instance Method Summary

• #procure!(request, lifetime = nil) ⇒ Object

  Procure a CSRF token for a specific request URI.

• #validate!(request, token) ⇒ Object

  Validate the token for a specific request URI.

Instance Method Details

#procure!(request, lifetime = nil) ⇒ Object

Procure a CSRF token for a specific request URI

# File 'lib/pasaporte/token_box.rb', line 27

def procure!(request, lifetime = nil)
  returning(Token.new(lifetime || WINDOW)) do | t |
    @heap ||= {}
    @heap[request] ||= []
    @heap[request].shift if @heap[request].length >= MAX_TOKENS
    @heap[request] << t
  end.to_s
end

#validate!(request, token) ⇒ Object

Validate the token for a specific request URI

Raises:

• (Invalid)

# File 'lib/pasaporte/token_box.rb', line 37

def validate!(request, token)
  raise Invalid.new("no heap part") unless (@heap && @heap[request])
  @heap[request].reject!{|t| t.expired? }
  raise Invalid.new("no token found in heap") unless @heap[request].find{|e| e.to_s == token}
  @heap[request].reject!{|e| e.to_s == token }
end