| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- # frozen_string_literal: true
- module CookieBasedCsrf
- extend ActiveSupport::Concern
- included do
- after_action :delete_session_cookie
- after_action :set_csrf_token
- def delete_session_cookie
- cookies.delete(Rails.application.config.session_options[:key])
- end
- def set_csrf_token
- unless cookies[:jwt]
- cookies.delete(:_csrf_token)
- cookies.delete('x-csrf-token')
- return
- end
- cookies['x-csrf-token'] = {
- value: form_authenticity_token,
- httponly: false,
- secure: !(Rails.env.development? || Rails.env.test?),
- }
- end
- def real_csrf_token(_session)
- cookies.encrypted[:_csrf_token] ||= {
- value: SecureRandom.base64(
- ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH,
- ),
- httponly: true,
- secure: !(Rails.env.development? || Rails.env.test?),
- }
- Base64.strict_decode64(cookies.encrypted[:_csrf_token])
- end
- end
- end
|
