Contents

require 'rack/protection'

module Rack
  module Protection
    ##
    # Prevented attack::   CSRF
    # Supported browsers:: all
    # More infos::         http://en.wikipedia.org/wiki/Cross-site_request_forgery
    #
    # Only accepts unsafe HTTP requests if a given access token matches the token
    # included in the session.
    #
    # Compatible with Rails and rack-csrf.
    #
    # Options:
    #
    # authenticity_param: Defines the param's name that should contain the token on a request.
    #
    class AuthenticityToken < Base
      default_options :authenticity_param => 'authenticity_token'

      def accepts?(env)
        session = session env
        token   = session[:csrf] ||= session['_csrf_token'] || random_string
        safe?(env) ||
          env['HTTP_X_CSRF_TOKEN'] == token ||
          Request.new(env).params[options[:authenticity_param]] == token
      end
    end
  end
end

Version data entries

50 entries across 49 versions & 17 rubygems

Version	Path
scout_realtime-0.5.5.pre	lib/vendor/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
scout_realtime-0.5.4	lib/vendor/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
scout_realtime-0.5.3	lib/vendor/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
scout_realtime-0.5.2	lib/vendor/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
scout_realtime-0.5.1	lib/vendor/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
rack-protection-1.5.2	lib/rack/protection/authenticity_token.rb
mango-0.8.0	vendor/bundler/ruby/2.1.0/gems/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
mango-0.7.1	vendor/bundler/ruby/2.0.0/gems/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
mango-0.7.0	vendor/bundler/ruby/2.0.0/gems/rack-protection-1.5.1/lib/rack/protection/authenticity_token.rb
rack-protection-1.5.1	lib/rack/protection/authenticity_token.rb