Contents

# frozen_string_literal: true

module Quilt
  class HeaderCsrfStrategy
    HEADER = "x-shopify-react-xhr"
    HEADER_VALUE = "1"

    def initialize(controller)
      @controller = controller
    end

    def handle_unverified_request
      raise NoSameSiteHeaderError unless same_site?
    end

    private

    def same_site?
      @controller.request.headers[HEADER] == HEADER_VALUE
    end

    def fallback_handler
      ActionController::RequestForgeryProtection::ProtectionMethods::Exception.new(@controller)
    end

    class NoSameSiteHeaderError < StandardError
      def initialize
        # rubocop:disable LineLength
        super "CSRF verification failed. This request is missing the `x-shopify-react-xhr` header, or it does not have the expected value."
        # rubocop:enable LineLength
      end
    end
  end
end

Version data entries

11 entries across 11 versions & 1 rubygems

Version	Path
quilt_rails-3.3.0	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-3.2.1	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-3.1.1	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-3.1.0	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-3.0.0	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-2.0.0	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-1.13.0	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-1.12.2	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-1.12.1	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-1.12.0	lib/quilt_rails/header_csrf_strategy.rb
quilt_rails-1.11.1	lib/quilt_rails/header_csrf_strategy.rb