Module: UnifiedCsrfPrevention::Core

Defined in:: lib/unified_csrf_prevention/core.rb

Overview

Low-level routines and constants See github.com/xing/cross-application-csrf-prevention#low-level-implementation-details

Constant Summary collapse

TOKEN_COOKIE_NAME =

'csrf_token'

CHECKSUM_COOKIE_NAME =

'csrf_checksum'

TOKEN_RACK_ENV_VAR =

'unified_csrf_prevention.token'

Class Method Summary collapse

Class Method Details

.checksum_for(token) ⇒ `Object`

# File 'lib/unified_csrf_prevention/core.rb', line 25

def checksum_for(token)
  digest_algorithm = OpenSSL::Digest::SHA256.new
  token_digest = OpenSSL::HMAC.digest(digest_algorithm, shared_secret_key, token)
  encode(token_digest)
end

.generate_token ⇒ `Object`

# File 'lib/unified_csrf_prevention/core.rb', line 19

def generate_token
  random_bytes_needed = (ActionController::Base::AUTHENTICITY_TOKEN_LENGTH * 0.75).ceil # Base 64 requires four bytes to store three bytes of data
  random_bytes = SecureRandom.random_bytes(random_bytes_needed)
  encode(random_bytes)[0...ActionController::Base::AUTHENTICITY_TOKEN_LENGTH]
end

.valid_token?(token, checksum) ⇒ `Boolean`

Returns:

(Boolean)



31
32
33

# File 'lib/unified_csrf_prevention/core.rb', line 31

def valid_token?(token, checksum)
  !token.nil? && !checksum.nil? && ActiveSupport::SecurityUtils.secure_compare(checksum_for(token), checksum)
end

Module: UnifiedCsrfPrevention::Core

Overview

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.checksum_for(token) ⇒ Object

.generate_token ⇒ Object

.valid_token?(token, checksum) ⇒ Boolean

.checksum_for(token) ⇒ `Object`

.generate_token ⇒ `Object`

.valid_token?(token, checksum) ⇒ `Boolean`