Module | ActionController::RequestForgeryProtection |
In: |
vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb
|
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6 6: def self.included(base) 7: base.class_eval do 8: class_inheritable_accessor :request_forgery_protection_options 9: self.request_forgery_protection_options = {} 10: helper_method :form_authenticity_token 11: helper_method :protect_against_forgery? 12: end 13: base.extend(ClassMethods) 14: end
No secret was given, so assume this is a cookie session store.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 131 131: def authenticity_token_from_cookie_session 132: session[:csrf_id] ||= CGI::Session.generate_unique_id 133: session.dbman.generate_digest(session[:csrf_id]) 134: end
Generates a unique digest using the session_id and the CSRF secret.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 120 120: def authenticity_token_from_session_id 121: key = if request_forgery_protection_options[:secret].respond_to?(:call) 122: request_forgery_protection_options[:secret].call(@session) 123: else 124: request_forgery_protection_options[:secret] 125: end 126: digest = request_forgery_protection_options[:digest] ||= 'SHA1' 127: OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s) 128: end
Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 107 107: def form_authenticity_token 108: @form_authenticity_token ||= if !session.respond_to?(:session_id) 109: raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session. Use #allow_forgery_protection to disable it, or use a valid session." 110: elsif request_forgery_protection_options[:secret] 111: authenticity_token_from_session_id 112: elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest) 113: authenticity_token_from_cookie_session 114: else 115: raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call. Set that or use a session store capable of generating its own keys (Cookie Session Store)." 116: end 117: end
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 136 136: def protect_against_forgery? 137: allow_forgery_protection && request_forgery_protection_token 138: end
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 101 101: def verifiable_request_format? 102: request.content_type.nil? || request.content_type.verify_request? 103: end
Returns true or false if a request is verified. Checks:
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 94 94: def verified_request? 95: !protect_against_forgery? || 96: request.method == :get || 97: !verifiable_request_format? || 98: form_authenticity_token == params[request_forgery_protection_token] 99: end
The actual before_filter that is used. Modify this to change how you handle unverified requests.
# File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 85 85: def verify_authenticity_token 86: verified_request? || raise(ActionController::InvalidAuthenticityToken) 87: end