Module: Padrino::Helpers::FormHelpers::Security

Defined in:

lib/padrino-helpers/form_helpers/security.rb

Overview

Helpers to generate form security tags for csrf protection.

Instance Method Summary

• #csrf_meta_tags ⇒ String

  Constructs meta tags ‘csrf-param` and `csrf-token` with the name of the cross-site request forgery protection parameter and token, respectively.

• #csrf_param ⇒ Object protected

  Returns the param/field name in which your CSRF token should be expected by your controllers.

• #csrf_token ⇒ Object protected

  Returns the current CSRF token (based on the session).

• #csrf_token_field ⇒ String

  Constructs a hidden field containing a CSRF token.

• #is_protected_from_csrf? ⇒ Boolean protected

  Returns whether the application is being protected from CSRF.

Instance Method Details

#csrf_meta_tags ⇒ String

Constructs meta tags ‘csrf-param` and `csrf-token` with the name of the cross-site request forgery protection parameter and token, respectively.

Examples:

csrf_meta_tags

Returns:

• (String) —

  The meta tags with the CSRF token and the param your app expects it in.

# File 'lib/padrino-helpers/form_helpers/security.rb', line 34

def csrf_meta_tags
  if is_protected_from_csrf?
    meta_tag(csrf_param, :name => 'csrf-param') <<
    meta_tag(csrf_token, :name => 'csrf-token')
  end
end

#csrf_param ⇒ Object (protected)

Returns the param/field name in which your CSRF token should be expected by your controllers. Defaults to ‘authenticity_token`.

Set this in your application with ‘set :csrf_param, :something_else`.

# File 'lib/padrino-helpers/form_helpers/security.rb', line 64

def csrf_param
  defined?(settings) && settings.respond_to?(:csrf_param) ? settings.csrf_param : :authenticity_token
end

#csrf_token ⇒ Object (protected)

Returns the current CSRF token (based on the session). If it doesn’t exist, it will create one and assign it to the session’s ‘csrf` key.

# File 'lib/padrino-helpers/form_helpers/security.rb', line 54

def csrf_token
  session[:csrf] ||= SecureRandom.hex(32) if defined?(session)
end

#csrf_token_field ⇒ String

Constructs a hidden field containing a CSRF token.

Examples:

csrf_token_field

Parameters:

• token (String) —

  The token to use. Will be read from the session by default.

Returns:

• (String) —

  The hidden field with CSRF token as value.

# File 'lib/padrino-helpers/form_helpers/security.rb', line 21

def csrf_token_field
  hidden_field_tag csrf_param, :value => csrf_token
end

#is_protected_from_csrf? ⇒ Boolean (protected)

Returns whether the application is being protected from CSRF. Defaults to true.

Returns:

• (Boolean)

# File 'lib/padrino-helpers/form_helpers/security.rb', line 46

def is_protected_from_csrf?
  defined?(settings) ? settings.protect_from_csrf : true
end