Methods
Public Instance
Public Instance methods
Check that the submitted CSRF token is valid, if the request requires a CSRF token. If the CSRF token is valid or the request does not require a CSRF token, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the :csrf_failure option to determine how to handle it.
# File lib/roda/plugins/route_csrf.rb 185 def check_csrf!(opts=OPTS, &block) 186 if msg = csrf_invalid_message(opts) 187 if block 188 @_request.on(&block) 189 end 190 191 case failure_action = opts.fetch(:csrf_failure, csrf_options[:csrf_failure]) 192 when :raise 193 raise InvalidToken, msg 194 when :empty_403 195 @_response.status = 403 196 headers = @_response.headers 197 headers.clear 198 headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html' 199 headers[RodaResponseHeaders::CONTENT_LENGTH] ='0' 200 throw :halt, @_response.finish_with_body([]) 201 when :clear_session 202 session.clear 203 when :csrf_failure_method 204 @_request.on{_roda_route_csrf_failure(@_request)} 205 when Proc 206 RodaPlugins.warn "Passing a Proc as the :csrf_failure option value to check_csrf! is deprecated" 207 @_request.on{instance_exec(@_request, &failure_action)} # Deprecated 208 else 209 raise RodaError, "Unsupported :csrf_failure option: #{failure_action.inspect}" 210 end 211 end 212 end
The name of the hidden input tag containing the CSRF token. Also used as the name for the meta tag.
# File lib/roda/plugins/route_csrf.rb 216 def csrf_field 217 csrf_options[:field] 218 end
The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).
# File lib/roda/plugins/route_csrf.rb 222 def csrf_header 223 csrf_options[:header] 224 end
An HTML meta tag string containing a CSRF token that is not request-specific. It is not recommended to use this, as it doesn’t support request-specific tokens.
# File lib/roda/plugins/route_csrf.rb 228 def csrf_metatag 229 "<meta name=\"#{csrf_field}\" content=\"#{csrf_token}\" \/>" 230 end
Given a form action, return the appropriate path to use for the CSRF token. This makes it easier to generate request-specific tokens without having to worry about the different types of form actions (relative paths, absolute paths, URLs, empty paths).
# File lib/roda/plugins/route_csrf.rb 236 def csrf_path(action) 237 case action 238 when nil, '', /\A[#?]/ 239 # use current path 240 request.path 241 when /\A(?:https?:\/)?\// 242 # Either full URI or absolute path, extract just the path 243 URI.parse(action).path 244 else 245 # relative path, join to current path 246 URI.join(request.url, action).path 247 end 248 end
An HTML hidden input tag string containing the CSRF token. See csrf_token
for arguments.
# File lib/roda/plugins/route_csrf.rb 252 def csrf_tag(*args) 253 "<input type=\"hidden\" name=\"#{csrf_field}\" value=\"#{csrf_token(*args)}\" \/>" 254 end
The value of the csrf token. For a path specific token, provide a path argument. By default, it a path is provided, the POST request method will be assumed. To generate a token for a non-POST request method, pass the method as the second argument.
# File lib/roda/plugins/route_csrf.rb 260 def csrf_token(path=nil, method=('POST' if path)) 261 token = SecureRandom.random_bytes(31) 262 token << csrf_hmac(token, method, path) 263 Base64.strict_encode64(token) 264 end
Whether request-specific CSRF tokens should be used by default.
# File lib/roda/plugins/route_csrf.rb 267 def use_request_specific_csrf_tokens? 268 csrf_options[:require_request_specific_tokens] 269 end
Whether the submitted CSRF token is valid for the request. True if the request does not require a CSRF token.
# File lib/roda/plugins/route_csrf.rb 273 def valid_csrf?(opts=OPTS) 274 csrf_invalid_message(opts).nil? 275 end