Class: Otto::Security::CSRFMiddleware

Inherits:
Object
  • Object
show all
Defined in:
lib/otto/security/csrf.rb

Overview

Middleware that provides Cross-Site Request Forgery (CSRF) protection

Constant Summary collapse

SAFE_METHODS = 
%w[GET HEAD OPTIONS TRACE].freeze

Instance Method Summary collapse

Constructor Details

#initialize(app, config = nil) ⇒ CSRFMiddleware

Returns a new instance of CSRFMiddleware.



12
13
14
15
 
# File 'lib/otto/security/csrf.rb', line 12

def initialize(app, config = nil)
  @app    = app
  @config = config || Otto::Security::Config.new
end

Instance Method Details

#call(env) ⇒ Object 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/otto/security/csrf.rb', line 17

def call(env)
  return @app.call(env) unless @config.csrf_enabled?

  request = Rack::Request.new(env)

  # Skip CSRF protection for safe methods
  if safe_method?(request.request_method)
    response = @app.call(env)
    response = inject_csrf_token(request, response) if html_response?(response)
    return response
  end

  # Validate CSRF token for unsafe methods
  return csrf_error_response unless valid_csrf_token?(request)

  @app.call(env)
end