Module: Roda::RodaPlugins::RouteCsrf::InstanceMethods

Defined in:

lib/roda/plugins/route_csrf.rb

Instance Method Summary

• #check_csrf!(opts = OPTS, &block) ⇒ Object

  Check that the submitted CSRF token is valid, if the request requires a CSRF token.

• #csrf_field ⇒ Object

  The name of the hidden input tag containing the CSRF token.

• #csrf_header ⇒ Object

  The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).

• #csrf_metatag ⇒ Object

  An HTML meta tag string containing a CSRF token that is not request-specific.

• #csrf_path(action) ⇒ Object

  Given a form action, return the appropriate path to use for the CSRF token.

• #csrf_tag(*args) ⇒ Object

  An HTML hidden input tag string containing the CSRF token.

• #csrf_token(path = nil, method = ('POST' if path)) ⇒ Object

  The value of the csrf token.

• #use_request_specific_csrf_tokens? ⇒ Boolean

  Whether request-specific CSRF tokens should be used by default.

• #valid_csrf?(opts = OPTS) ⇒ Boolean

  Whether the submitted CSRF token is valid for the request.

Instance Method Details

#check_csrf!(opts = OPTS, &block) ⇒ Object

Check that the submitted CSRF token is valid, if the request requires a CSRF token. If the CSRF token is valid or the request does not require a CSRF token, return nil. Otherwise, if a block is given, treat it as a routing block and yield to it, and if a block is not given, use the :csrf_failure option to determine how to handle it.

# File 'lib/roda/plugins/route_csrf.rb', line 190

def check_csrf!(opts=OPTS, &block)
  if msg = csrf_invalid_message(opts)
    if block
      @_request.on(&block)
    end
    
    case failure_action = opts.fetch(:csrf_failure, csrf_options[:csrf_failure])
    when :raise
      raise InvalidToken, msg
    when :empty_403
      @_response.status = 403
      headers = @_response.headers
      headers.clear
      headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
      headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
      throw :halt, @_response.finish_with_body([])
    when :clear_session
      session.clear
    when :csrf_failure_method
      @_request.on{_roda_route_csrf_failure(@_request)}
    when Proc
      RodaPlugins.warn "Passing a Proc as the :csrf_failure option value to check_csrf! is deprecated"
      @_request.on{instance_exec(@_request, &failure_action)} # Deprecated
    else
      raise RodaError, "Unsupported :csrf_failure option: #{failure_action.inspect}"
    end
  end
end

#csrf_field ⇒ Object

The name of the hidden input tag containing the CSRF token. Also used as the name for the meta tag.

# File 'lib/roda/plugins/route_csrf.rb', line 221

def csrf_field
  csrf_options[:field]
end

#csrf_header ⇒ Object

The HTTP header name to use when submitting CSRF tokens in an HTTP header, if such support is enabled (it is not by default).

# File 'lib/roda/plugins/route_csrf.rb', line 227

def csrf_header
  csrf_options[:header]
end

#csrf_metatag ⇒ Object

An HTML meta tag string containing a CSRF token that is not request-specific. It is not recommended to use this, as it doesn’t support request-specific tokens.

# File 'lib/roda/plugins/route_csrf.rb', line 233

def csrf_metatag
  "<meta name=\"#{csrf_field}\" content=\"#{csrf_token}\" \/>"
end

#csrf_path(action) ⇒ Object

Given a form action, return the appropriate path to use for the CSRF token. This makes it easier to generate request-specific tokens without having to worry about the different types of form actions (relative paths, absolute paths, URLs, empty paths).

# File 'lib/roda/plugins/route_csrf.rb', line 241

def csrf_path(action)
  case action
  when nil, '', /\A[#?]/
    # use current path
    request.path
  when /\A(?:https?:\/)?\//
    # Either full URI or absolute path, extract just the path
    URI.parse(action).path
  else
    # relative path, join to current path
    URI.join(request.url, action).path
  end
end

#csrf_tag(*args) ⇒ Object

An HTML hidden input tag string containing the CSRF token. See csrf_token for arguments.

# File 'lib/roda/plugins/route_csrf.rb', line 257

def csrf_tag(*args)
  "<input type=\"hidden\" name=\"#{csrf_field}\" value=\"#{csrf_token(*args)}\" \/>"
end

#csrf_token(path = nil, method = ('POST' if path)) ⇒ Object

The value of the csrf token. For a path specific token, provide a path argument. By default, it a path is provided, the POST request method will be assumed. To generate a token for a non-POST request method, pass the method as the second argument.

# File 'lib/roda/plugins/route_csrf.rb', line 265

def csrf_token(path=nil, method=('POST' if path))
  token = SecureRandom.random_bytes(31)
  token << csrf_hmac(token, method, path)
  [token].pack("m0")
end

#use_request_specific_csrf_tokens? ⇒ Boolean

Whether request-specific CSRF tokens should be used by default.

Returns:

• (Boolean)

# File 'lib/roda/plugins/route_csrf.rb', line 272

def use_request_specific_csrf_tokens?
  csrf_options[:require_request_specific_tokens]
end

#valid_csrf?(opts = OPTS) ⇒ Boolean

Whether the submitted CSRF token is valid for the request. True if the request does not require a CSRF token.

Returns:

• (Boolean)

# File 'lib/roda/plugins/route_csrf.rb', line 278

def valid_csrf?(opts=OPTS)
  csrf_invalid_message(opts).nil?
end