Module: Roda::RodaPlugins::RouteCsrf::InstanceMethods
- Defined in:
- lib/roda/plugins/route_csrf.rb
Instance Method Summary collapse
-
#check_csrf!(opts = OPTS, &block) ⇒ Object
Check that the submitted CSRF token is valid, if the request requires a CSRF token.
-
#csrf_field ⇒ Object
The name of the hidden input tag containing the CSRF token.
-
#csrf_header ⇒ Object
The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).
-
#csrf_metatag ⇒ Object
An HTML meta tag string containing a CSRF token that is not request-specific.
-
#csrf_path(action) ⇒ Object
Given a form action, return the appropriate path to use for the CSRF token.
-
#csrf_tag(*args) ⇒ Object
An HTML hidden input tag string containing the CSRF token.
-
#csrf_token(path = nil, method = ('POST' if path)) ⇒ Object
The value of the csrf token.
-
#use_request_specific_csrf_tokens? ⇒ Boolean
Whether request-specific CSRF tokens should be used by default.
-
#valid_csrf?(opts = OPTS) ⇒ Boolean
Whether the submitted CSRF token is valid for the request.
Instance Method Details
#check_csrf!(opts = OPTS, &block) ⇒ Object
Check that the submitted CSRF token is valid, if the request requires a CSRF token. If the CSRF token is valid or the request does not require a CSRF token, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the :csrf_failure option to determine how to handle it.
182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 |
# File 'lib/roda/plugins/route_csrf.rb', line 182 def check_csrf!(opts=OPTS, &block) if msg = (opts) if block @_request.on(&block) end case failure_action = opts.fetch(:csrf_failure, [:csrf_failure]) when :raise raise InvalidToken, msg when :empty_403 throw :halt, [403, {'Content-Type'=>'text/html', 'Content-Length'=>'0'}, []] when :clear_session session.clear when Proc @_request.on{instance_exec(@_request, &failure_action)} else raise RodaError, "Unsupported :csrf_failure option: #{failure_action.inspect}" end end end |
#csrf_field ⇒ Object
The name of the hidden input tag containing the CSRF token. Also used as the name for the meta tag.
205 206 207 |
# File 'lib/roda/plugins/route_csrf.rb', line 205 def csrf_field [:field] end |
#csrf_header ⇒ Object
The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).
211 212 213 |
# File 'lib/roda/plugins/route_csrf.rb', line 211 def csrf_header [:header] end |
#csrf_metatag ⇒ Object
An HTML meta tag string containing a CSRF token that is not request-specific. It is not recommended to use this, as it doesn’t support request-specific tokens.
217 218 219 |
# File 'lib/roda/plugins/route_csrf.rb', line 217 def "<meta name=\"#{csrf_field}\" content=\"#{csrf_token}\" \/>" end |
#csrf_path(action) ⇒ Object
Given a form action, return the appropriate path to use for the CSRF token. This makes it easier to generate request-specific tokens without having to worry about the different types of form actions (relative paths, absolute paths, URLs, empty paths).
225 226 227 228 229 230 231 232 233 234 235 236 237 |
# File 'lib/roda/plugins/route_csrf.rb', line 225 def csrf_path(action) case action when nil, '', /\A[#?]/ # use current path request.path when /\A(?:https?:\/)?\// # Either full URI or absolute path, extract just the path URI.parse(action).path else # relative path, join to current path URI.join(request.url, action).path end end |
#csrf_tag(*args) ⇒ Object
An HTML hidden input tag string containing the CSRF token. See csrf_token for arguments.
241 242 243 |
# File 'lib/roda/plugins/route_csrf.rb', line 241 def csrf_tag(*args) "<input type=\"hidden\" name=\"#{csrf_field}\" value=\"#{csrf_token(*args)}\" \/>" end |
#csrf_token(path = nil, method = ('POST' if path)) ⇒ Object
The value of the csrf token. For a path specific token, provide a path argument. By default, it a path is provided, the POST request method will be assumed. To generate a token for a non-POST request method, pass the method as the second argument.
249 250 251 252 253 |
# File 'lib/roda/plugins/route_csrf.rb', line 249 def csrf_token(path=nil, method=('POST' if path)) token = SecureRandom.random_bytes(31) token << csrf_hmac(token, method, path) Base64.strict_encode64(token) end |
#use_request_specific_csrf_tokens? ⇒ Boolean
Whether request-specific CSRF tokens should be used by default.
256 257 258 |
# File 'lib/roda/plugins/route_csrf.rb', line 256 def use_request_specific_csrf_tokens? [:require_request_specific_tokens] end |
#valid_csrf?(opts = OPTS) ⇒ Boolean
Whether the submitted CSRF token is valid for the request. True if the request does not require a CSRF token.
262 263 264 |
# File 'lib/roda/plugins/route_csrf.rb', line 262 def valid_csrf?(opts=OPTS) (opts).nil? end |