Class: Rack::Protection::AuthenticityToken

Inherits:

Base

• Object
• Base
• Rack::Protection::AuthenticityToken

Defined in:

lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/authenticity_token.rb

Overview

Prevented attack

CSRF

Supported browsers

all

More infos

en.wikipedia.org/wiki/Cross-site_request_forgery

This middleware only accepts requests other than GET, HEAD, OPTIONS, TRACE if their given access token matches the token included in the session.

It checks the X-CSRF-Token header and the POST form data.

It is not OOTB-compatible with the rack-csrf gem. For that, the following patch needs to be applied:

Rack::Protection::AuthenticityToken.default_options(key: "csrf.token", authenticity_param: "_csrf")

Options

:authenticity_param

the name of the param that should contain the token on a request. Default value: "authenticity_token"

:key

the name of the param that should contain

the token in the session. Default value:
<tt>:csrf</tt>

:allow_if

a proc for custom allow/deny logic. Default value:

<tt>nil</tt>

Example: Forms application

To show what the AuthenticityToken does, this section includes a sample program which shows two forms. One with, and one without a CSRF token The one without CSRF token field will get a 403 Forbidden response.

Install the gem, then run the program:

gem install 'rack-protection'
ruby server.rb

Here is server.rb:

require 'rack/protection'

app = Rack::Builder.app do
  use Rack::Session::Cookie, secret: 'secret'
  use Rack::Protection::AuthenticityToken

  run -> (env) do
    [200, {}, [
      "        <!DOCTYPE html>\n        <html lang=\"en\">\n        <head>\n          <meta charset=\"UTF-8\" />\n          <title>rack-protection minimal example</title>\n        </head>\n        <body>\n          <h1>Without Authenticity Token</h1>\n          <p>This takes you to <tt>Forbidden</tt></p>\n          <form action=\"\" method=\"post\">\n            <input type=\"text\" name=\"foo\" />\n            <input type=\"submit\" />\n          </form>\n\n          <h1>With Authenticity Token</h1>\n          <p>This successfully takes you to back to this form.</p>\n          <form action=\"\" method=\"post\">\n            <input type=\"hidden\" name=\"authenticity_token\" value=\"\#{Rack::Protection::AuthenticityToken.token(env['rack.session'])}\" />\n            <input type=\"text\" name=\"foo\" />\n            <input type=\"submit\" />\n          </form>\n        </body>\n        </html>\n      EOS\n    ]]\n  end\nend\n\nRack::Handler::WEBrick.run app\n"

Example: Customize which POST parameter holds the token

To customize the authenticity parameter for form data, use the :authenticity_param option:

use Rack::Protection::AuthenticityToken, authenticity_param: 'your_token_param_name'

Direct Known Subclasses

FormToken, RemoteToken

Constant Summary

TOKEN_LENGTH =

32

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Class Method Summary

• .random_token ⇒ Object
• .token(session, path: nil, method: :post) ⇒ Object

Instance Method Summary

• #accepts?(env) ⇒ Boolean
• #mask_authenticity_token(session, path: nil, method: :post) ⇒ Object

Methods inherited from Base

#call, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #initialize, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

This class inherits a constructor from Rack::Protection::Base

Class Method Details

.random_token ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/authenticity_token.rb', line 108

def self.random_token
  SecureRandom.urlsafe_base64(TOKEN_LENGTH, padding: false)
end

.token(session, path: nil, method: :post) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/authenticity_token.rb', line 104

def self.token(session, path: nil, method: :post)
  new(nil).mask_authenticity_token(session, path: path, method: method)
end

Instance Method Details

#accepts?(env) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/authenticity_token.rb', line 112

def accepts?(env)
  session = session(env)
  set_token(session)

  safe?(env) ||
    valid_token?(env, env['HTTP_X_CSRF_TOKEN']) ||
    valid_token?(env, Request.new(env).params[options[:authenticity_param]]) ||
    options[:allow_if]&.call(env)
rescue StandardError
  false
end

#mask_authenticity_token(session, path: nil, method: :post) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/authenticity_token.rb', line 124

def mask_authenticity_token(session, path: nil, method: :post)
  set_token(session)

  token = if path && method
            per_form_token(session, path, method)
          else
            global_token(session)
          end

  mask_token(token)
end