module Roda::RodaPlugins::RouteCsrf::InstanceMethods

  1. lib/roda/plugins/route_csrf.rb

Public Instance methods

check_csrf!(opts=OPTS, &block)

Check that the submitted CSRF token is valid, if the request requires a CSRF token. If the CSRF token is valid or the request does not require a CSRF token, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the :csrf_failure option to determine how to handle it.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
198 def check_csrf!(opts=OPTS, &block)
199   if msg = csrf_invalid_message(opts)
200     if block
201       @_request.on(&block)
202     end
203     
204     case failure_action = opts.fetch(:csrf_failure, csrf_options[:csrf_failure])
205     when :raise
206       raise InvalidToken, msg
207     when :empty_403
208       @_response.status = 403
209       headers = @_response.headers
210       headers.clear
211       headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
212       headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
213       throw :halt, @_response.finish_with_body([])
214     when :clear_session
215       session.clear
216     when :csrf_failure_method
217       @_request.on{_roda_route_csrf_failure(@_request)}
218     when Proc
219       RodaPlugins.warn "Passing a Proc as the :csrf_failure option value to check_csrf! is deprecated"
220       @_request.on{instance_exec(@_request, &failure_action)} # Deprecated
221     else
222       raise RodaError, "Unsupported :csrf_failure option: #{failure_action.inspect}"
223     end
224   end
225 end
csrf_field()

The name of the hidden input tag containing the CSRF token. Also used as the name for the meta tag.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
229 def csrf_field
230   csrf_options[:field]
231 end
csrf_formaction_tag(path, *args)

An HTML hidden input tag string containing the CSRF token, used for inputs with formaction, so the same form can be used to submit to multiple endpoints depending on which button was clicked. See csrf_token for arguments, but the path argument is required.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
267 def csrf_formaction_tag(path, *args)
268   "<input type=\"hidden\" name=\"#{csrf_options[:formaction_field]}[#{Rack::Utils.escape_html(path)}]\" value=\"#{csrf_token(path, *args)}\" \/>"
269 end
csrf_header()

The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).

[show source] 
    # File lib/roda/plugins/route_csrf.rb
235 def csrf_header
236   csrf_options[:header]
237 end
csrf_metatag()

An HTML meta tag string containing a CSRF token that is not request-specific. It is not recommended to use this, as it doesn’t support request-specific tokens.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
241 def csrf_metatag
242   "<meta name=\"#{csrf_field}\" content=\"#{csrf_token}\" \/>"
243 end
csrf_path(action)

Given a form action, return the appropriate path to use for the CSRF token. This makes it easier to generate request-specific tokens without having to worry about the different types of form actions (relative paths, absolute paths, URLs, empty paths).

[show source] 
    # File lib/roda/plugins/route_csrf.rb
249 def csrf_path(action)
250   case action
251   when nil, '', /\A[#?]/
252     # use current path
253     request.path
254   when /\A(?:https?:\/)?\//
255     # Either full URI or absolute path, extract just the path
256     URI.parse(action).path
257   else
258     # relative path, join to current path
259     URI.join(request.url, action).path
260   end
261 end
csrf_tag(*args)

An HTML hidden input tag string containing the CSRF token. See csrf_token for arguments.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
273 def csrf_tag(*args)
274   "<input type=\"hidden\" name=\"#{csrf_field}\" value=\"#{csrf_token(*args)}\" \/>"
275 end
csrf_token(path=nil, method=('POST' if path))

The value of the csrf token. For a path specific token, provide a path argument. By default, it a path is provided, the POST request method will be assumed. To generate a token for a non-POST request method, pass the method as the second argument.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
281 def csrf_token(path=nil, method=('POST' if path))
282   token = SecureRandom.random_bytes(31)
283   token << csrf_hmac(token, method, path)
284   [token].pack("m0")
285 end
use_request_specific_csrf_tokens?()

Whether request-specific CSRF tokens should be used by default.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
288 def use_request_specific_csrf_tokens?
289   csrf_options[:require_request_specific_tokens]
290 end
valid_csrf?(opts=OPTS)

Whether the submitted CSRF token is valid for the request. True if the request does not require a CSRF token.

[show source] 
    # File lib/roda/plugins/route_csrf.rb
294 def valid_csrf?(opts=OPTS)
295   csrf_invalid_message(opts).nil?
296 end