require 'securerandom' module Lotus module Action # Invalid CSRF Token # # @since 0.4.0 class InvalidCSRFTokenError < ::StandardError end # CSRF Protection # # This security mechanism is enabled automatically if sessions are turned on. # # It stores a "challenge" token in session. For each "state changing request" # (eg. POST, PATCH etc..), we should send a special param: # _csrf_token. # # If the param matches with the challenge token, the flow can continue. # Otherwise the application detects an attack attempt, it reset the session # and Lotus::Action::InvalidCSRFTokenError is raised. # # We can specify a custom handling strategy, by overriding #handle_invalid_csrf_token. # # Form helper (#form_for) automatically sets a hidden field with the # correct token. A special view method (#csrf_token) is available in # case the form markup is manually crafted. # # We can disable this check on action basis, by overriding #verify_csrf_token?. # # @since 0.4.0 # # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet # # @example Custom Handling # module Web::Controllers::Books # class Create # include Web::Action # # def call(params) # # ... # end # # private # # def handle_invalid_csrf_token # Web::Logger.warn "CSRF attack: expected #{ session[:_csrf_token] }, was #{ params[:_csrf_token] }" # # manual handling # end # end # end # # @example Bypass Security Check # module Web::Controllers::Books # class Create # include Web::Action # # def call(params) # # ... # end # # private # # def verify_csrf_token? # false # end # end # end module CSRFProtection # Session and params key for CSRF token. # # This key is shared with lotus-controller and lotus-helpers # # @since 0.4.0 # @api private CSRF_TOKEN = :_csrf_token # Idempotent HTTP methods # # By default, the check isn't performed if the request method is included # in this list. # # @since 0.4.0 # @api private IDEMPOTENT_HTTP_METHODS = Hash[ 'GET' => true, 'HEAD' => true, 'TRACE' => true, 'OPTIONS' => true ].freeze # @since 0.4.0 # @api private def self.included(action) action.class_eval do before :set_csrf_token, :verify_csrf_token end unless Lotus.env?(:test) end private # Set CSRF Token in session # # @since 0.4.0 # @api private def set_csrf_token session[CSRF_TOKEN] ||= generate_csrf_token end # Verify if CSRF token from params, matches the one stored in session. # If not, it raises an error. # # Don't override this method. # # To bypass the security check, please override #verify_csrf_token?. # For custom handling of an attack, please override #handle_invalid_csrf_token. # # @since 0.4.0 # @api private def verify_csrf_token handle_invalid_csrf_token if invalid_csrf_token? end # Verify if CSRF token from params, matches the one stored in session. # # Don't override this method. # # @since 0.4.0 # @api private def invalid_csrf_token? verify_csrf_token? && session[CSRF_TOKEN] != params[CSRF_TOKEN] end # Generates a random CSRF Token # # @since 0.4.0 # @api private def generate_csrf_token SecureRandom.hex(32) end # Decide if perform the check or not. # # Override and return false if you want to bypass security check. # # @since 0.4.0 def verify_csrf_token? !IDEMPOTENT_HTTP_METHODS[request_method] end # Handle CSRF attack. # # The default policy resets the session and raises an exception. # # Override this method, for custom handling. # # @raise [Lotus::Action::InvalidCSRFTokenError] # # @since 0.4.0 def handle_invalid_csrf_token session.clear raise InvalidCSRFTokenError.new end end end end