# frozen_string_literal: true module AngularRailsCsrf module Concern extend ActiveSupport::Concern included do after_action :set_xsrf_token_cookie end def set_xsrf_token_cookie return unless protect_against_forgery? && !respond_to?(:__exclude_xsrf_token_cookie?) config = Rails.application.config same_site = same_site_from config secure = secure_from config cookie_options = { value: form_authenticity_token, domain: domain_from(config), same_site: same_site, secure: same_site.eql?(:none) || secure } cookie_name = cookie_name_from config cookies[cookie_name] = cookie_options end def verified_request? if respond_to?(:valid_authenticity_token?, true) super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN']) else super || form_authenticity_token == request.headers['X-XSRF-TOKEN'] end end private def same_site_from(config) config.respond_to?(:angular_rails_csrf_same_site) ? config.angular_rails_csrf_same_site : :lax end def secure_from(config) config.angular_rails_csrf_secure if config.respond_to?(:angular_rails_csrf_secure) end def domain_from(config) config.respond_to?(:angular_rails_csrf_domain) ? config.angular_rails_csrf_domain : nil end def cookie_name_from(config) config.respond_to?(:angular_rails_csrf_cookie_name) ? config.angular_rails_csrf_cookie_name : 'XSRF-TOKEN' end module ClassMethods def exclude_xsrf_token_cookie class_eval do def __exclude_xsrf_token_cookie? true end end end end end end