Class: Roda::Component::Faye::CsrfProtection

Inherits:
Object
  • Object
show all
Defined in:
lib/roda/component/faye.rb

Instance Method Summary collapse

Instance Method Details

#incoming(message, request, callback) ⇒ Object



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# File 'lib/roda/component/faye.rb', line 92

def incoming(message, request, callback)
  case message['channel']
  when '/meta/connect', '/meta/handshake', '/meta/subscribe', '/meta/disconnect', '/meta/unsubscribe'
    session_token = request.session['csrf.token']
    message_token = message['ext'] && message['ext'].delete('csrfToken')

    unless session_token == message_token
      message['error'] = '401::Access denied'
    end
  else
    app_token     = Roda::Component.app.component_opts[:token]
    message_token = message['data'] && message['data'].delete('token')


    unless app_token == message_token
      message['error'] = '401::Access denied'
    end
  end

  callback.call(message)
end