Module ActionController::RequestForgeryProtection
In: vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb

Methods

Classes and Modules

Module ActionController::RequestForgeryProtection::ClassMethods

Public Class methods

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6
 6:     def self.included(base)
 7:       base.class_eval do
 8:         class_inheritable_accessor :request_forgery_protection_options
 9:         self.request_forgery_protection_options = {}
10:         helper_method :form_authenticity_token
11:         helper_method :protect_against_forgery?
12:       end
13:       base.extend(ClassMethods)
14:     end

Protected Instance methods

No secret was given, so assume this is a cookie session store.

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 139
139:       def authenticity_token_from_cookie_session
140:         session[:csrf_id] ||= CGI::Session.generate_unique_id
141:         session.dbman.generate_digest(session[:csrf_id])
142:       end

Generates a unique digest using the session_id and the CSRF secret.

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 128
128:       def authenticity_token_from_session_id
129:         key = if request_forgery_protection_options[:secret].respond_to?(:call)
130:           request_forgery_protection_options[:secret].call(@session)
131:         else
132:           request_forgery_protection_options[:secret]
133:         end
134:         digest = request_forgery_protection_options[:digest] ||= 'SHA1'
135:         OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
136:       end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 105
105:       def form_authenticity_param
106:         params[request_forgery_protection_token]
107:       end

Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 115
115:       def form_authenticity_token
116:         @form_authenticity_token ||= if !session.respond_to?(:session_id)
117:           raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
118:         elsif request_forgery_protection_options[:secret]
119:           authenticity_token_from_session_id
120:         elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
121:           authenticity_token_from_cookie_session
122:         else
123:           raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
124:         end
125:       end

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 89
89:       def handle_unverified_request
90:         reset_session
91:       end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 144
144:       def protect_against_forgery?
145:         allow_forgery_protection && request_forgery_protection_token
146:       end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 109
109:       def verifiable_request_format?
110:         request.content_type.nil? || request.content_type.verify_request?
111:       end

Returns true or false if a request is verified. Checks:

  • is the format restricted? By default, only HTML and AJAX requests are checked.
  • is it a GET request? Gets should be safe and idempotent
  • Does the form_authenticity_token match the given _token value from the params?

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 98
 98:       def verified_request?
 99:         !protect_against_forgery?                            ||
100:           request.get?                                       ||
101:           form_authenticity_token == form_authenticity_param ||
102:           form_authenticity_token == request.headers['X-CSRF-Token']
103:       end

The actual before_filter that is used. Modify this to change how you handle unverified requests.

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 85
85:       def verify_authenticity_token
86:         verified_request? || handle_unverified_request
87:       end

[Validate]