module Roda::RodaPlugins::RouteCsrf::InstanceMethods

  1. lib/roda/plugins/route_csrf.rb

Public Instance methods

check_csrf!(opts=OPTS, &block)

Check that the submitted CSRF token is valid, if the request requires a CSRF token. If the CSRF token is valid or the request does not require a CSRF token, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the :csrf_failure option to determine how to handle it.

[show source]
    # File lib/roda/plugins/route_csrf.rb
185 def check_csrf!(opts=OPTS, &block)
186   if msg = csrf_invalid_message(opts)
187     if block
188       @_request.on(&block)
189     end
191     case failure_action = opts.fetch(:csrf_failure, csrf_options[:csrf_failure])
192     when :raise
193       raise InvalidToken, msg
194     when :empty_403
195       @_response.status = 403
196       headers = @_response.headers
197       headers.clear
198       headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
199       headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
200       throw :halt, @_response.finish_with_body([])
201     when :clear_session
202       session.clear
203     when :csrf_failure_method
204       @_request.on{_roda_route_csrf_failure(@_request)}
205     when Proc
206       RodaPlugins.warn "Passing a Proc as the :csrf_failure option value to check_csrf! is deprecated"
207       @_request.on{instance_exec(@_request, &failure_action)} # Deprecated
208     else
209       raise RodaError, "Unsupported :csrf_failure option: #{failure_action.inspect}"
210     end
211   end
212 end

The name of the hidden input tag containing the CSRF token. Also used as the name for the meta tag.

[show source]
    # File lib/roda/plugins/route_csrf.rb
216 def csrf_field
217   csrf_options[:field]
218 end

The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).

[show source]
    # File lib/roda/plugins/route_csrf.rb
222 def csrf_header
223   csrf_options[:header]
224 end

An HTML meta tag string containing a CSRF token that is not request-specific. It is not recommended to use this, as it doesn’t support request-specific tokens.

[show source]
    # File lib/roda/plugins/route_csrf.rb
228 def csrf_metatag
229   "<meta name=\"#{csrf_field}\" content=\"#{csrf_token}\" \/>"
230 end

Given a form action, return the appropriate path to use for the CSRF token. This makes it easier to generate request-specific tokens without having to worry about the different types of form actions (relative paths, absolute paths, URLs, empty paths).

[show source]
    # File lib/roda/plugins/route_csrf.rb
236 def csrf_path(action)
237   case action
238   when nil, '', /\A[#?]/
239     # use current path
240     request.path
241   when /\A(?:https?:\/)?\//
242     # Either full URI or absolute path, extract just the path
243     URI.parse(action).path
244   else
245     # relative path, join to current path
246     URI.join(request.url, action).path
247   end
248 end

An HTML hidden input tag string containing the CSRF token. See csrf_token for arguments.

[show source]
    # File lib/roda/plugins/route_csrf.rb
252 def csrf_tag(*args)
253   "<input type=\"hidden\" name=\"#{csrf_field}\" value=\"#{csrf_token(*args)}\" \/>"
254 end
csrf_token(path=nil, method=('POST' if path))

The value of the csrf token. For a path specific token, provide a path argument. By default, it a path is provided, the POST request method will be assumed. To generate a token for a non-POST request method, pass the method as the second argument.

[show source]
    # File lib/roda/plugins/route_csrf.rb
260 def csrf_token(path=nil, method=('POST' if path))
261   token = SecureRandom.random_bytes(31)
262   token << csrf_hmac(token, method, path)
263   Base64.strict_encode64(token)
264 end

Whether request-specific CSRF tokens should be used by default.

[show source]
    # File lib/roda/plugins/route_csrf.rb
267 def use_request_specific_csrf_tokens?
268   csrf_options[:require_request_specific_tokens]
269 end

Whether the submitted CSRF token is valid for the request. True if the request does not require a CSRF token.

[show source]
    # File lib/roda/plugins/route_csrf.rb
273 def valid_csrf?(opts=OPTS)
274   csrf_invalid_message(opts).nil?
275 end