Home Explore Help
Sign In
ajswis
/
pokemon.trade
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 9bd711ecec
Branches Tags
pokemon.trade
/
app
/
controllers
/
concerns
/
cookie_based_csrf.rb

cookie_based_csrf.rb 1.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041 
  1. # frozen_string_literal: true
    2. 

  2. 

  3. module CookieBasedCsrf
    4. 

  4.   extend ActiveSupport::Concern
    5. 

  5. 

  6.   included do
    7. 

  7.     after_action :delete_session_cookie
    8. 

  8.     after_action :set_csrf_token
    9. 

  9. 

  10.     def delete_session_cookie
    11. 

  11.       cookies.delete(Rails.application.config.session_options[:key])
    12. 

  12.     end
    13. 

  13. 

  14.     def set_csrf_token
    15. 

  15.       # If no JWT, reset CSRF tokens
    16. 

  16.       unless cookies[:jwt]
    17. 

  17.         cookies.delete(:_csrf_token)
    18. 

  18.         cookies.delete('x-csrf-token')
    19. 

  19.         return
    20. 

  20.       end
    21. 

  21. 

  22.       cookies['x-csrf-token'] = {
    23. 

  23.         value: form_authenticity_token,
    24. 

  24.         httponly: false,
    25. 

  25.         secure: !(Rails.env.development? || Rails.env.test?),
    26. 

  26.       }
    27. 

  27.     end
    28. 

  28. 

  29.     def real_csrf_token(_session)
    30. 

  30.       cookies.encrypted[:_csrf_token] ||= {
    31. 

  31.         value: SecureRandom.base64(
    32. 

  32.           ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH,
    33. 

  33.         ),
    34. 

  34.         httponly: true,
    35. 

  35.         secure: !(Rails.env.development? || Rails.env.test?),
    36. 

  36.       }
    37. 

  37. 

  38.       Base64.strict_decode64(cookies.encrypted[:_csrf_token])
    39. 

  39.     end
    40. 

  40.   end
    41. 

  41. end
    42.