module Rodauth::Rails::Feature::Csrf

Public Class Methods

included(feature) click to toggle source
# File lib/rodauth/rails/feature/csrf.rb, line 5
def self.included(feature)
  feature.auth_methods(
    :rails_csrf_tag,
    :rails_csrf_param,
    :rails_csrf_token,
    :rails_check_csrf!,
  )
end

Public Instance Methods

check_csrf() click to toggle source

Verify Rails' authenticity token.

# File lib/rodauth/rails/feature/csrf.rb, line 20
def check_csrf
  rails_check_csrf!
end
check_csrf?() click to toggle source

Have Rodauth call check_csrf automatically.

# File lib/rodauth/rails/feature/csrf.rb, line 25
def check_csrf?
  true
end
csrf_tag(*) click to toggle source

Render Rails CSRF tags in Rodauth templates.

# File lib/rodauth/rails/feature/csrf.rb, line 15
def csrf_tag(*)
  rails_csrf_tag
end

Private Instance Methods

rails_check_csrf!() click to toggle source

Calls the controller to verify the authenticity token.

# File lib/rodauth/rails/feature/csrf.rb, line 44
def rails_check_csrf!
  rails_controller_instance.send(:verify_authenticity_token)
end
rails_controller_callbacks() { || ... } click to toggle source
Calls superclass method
# File lib/rodauth/rails/feature/csrf.rb, line 31
def rails_controller_callbacks
  return super if rails_api_controller?

  # don't verify CSRF token as part of callbacks, Rodauth will do that
  rails_controller_instance.allow_forgery_protection = false
  super do
    # turn the setting back to default so that form tags generate CSRF tags
    rails_controller_instance.allow_forgery_protection = rails_controller.allow_forgery_protection
    yield
  end
end
rails_csrf_param() click to toggle source

The request parameter under which to send the Rails CSRF token.

# File lib/rodauth/rails/feature/csrf.rb, line 54
def rails_csrf_param
  rails_controller.request_forgery_protection_token
end
rails_csrf_tag() click to toggle source

Hidden tag with Rails CSRF token inserted into Rodauth templates.

# File lib/rodauth/rails/feature/csrf.rb, line 49
def rails_csrf_tag
  %(<input type="hidden" name="#{rails_csrf_param}" value="#{rails_csrf_token}">)
end
rails_csrf_token() click to toggle source

The Rails CSRF token value inserted into Rodauth templates.

# File lib/rodauth/rails/feature/csrf.rb, line 59
def rails_csrf_token
  rails_controller_instance.send(:form_authenticity_token)
end