Class: Otto::Security::Middleware::CSRFMiddleware

Inherits:
Object
  • Object
show all
Defined in:
lib/otto/security/middleware/csrf_middleware.rb

Overview

Middleware that provides Cross-Site Request Forgery (CSRF) protection

Constant Summary collapse

SAFE_METHODS = 
%w[GET HEAD OPTIONS TRACE].freeze

Instance Method Summary collapse

Constructor Details

#initialize(app, config = nil) ⇒ CSRFMiddleware

Returns a new instance of CSRFMiddleware.



14
15
16
17
 
# File 'lib/otto/security/middleware/csrf_middleware.rb', line 14

def initialize(app, config = nil)
  @app    = app
  @config = config || Otto::Security::Config.new
end

Instance Method Details

#call(env) ⇒ Object 



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
# File 'lib/otto/security/middleware/csrf_middleware.rb', line 19

def call(env)
  return @app.call(env) unless @config.csrf_enabled?

  request = Otto::Request.new(env)

  # Skip CSRF protection for safe methods
  if safe_method?(request.request_method)
    response = @app.call(env)
    response = inject_csrf_token(request, response) if html_response?(response)
    return response
  end

  # Validate CSRF token for unsafe methods
  unless valid_csrf_token?(request)
    # Log CSRF validation failure
    Otto.structured_log(:warn, "CSRF validation failed",
      Otto::LoggingHelpers.request_context(env).merge(
        referrer: request.referrer
      )
    )
    return csrf_error_response
  end

  @app.call(env)
end