lib/roda/plugins/route_csrf.rb in roda-3.72.0 vs lib/roda/plugins/route_csrf.rb in roda-3.73.0
- old
+ new
@@ -1,8 +1,7 @@
# frozen-string-literal: true
-require 'base64'
require 'openssl'
require 'securerandom'
require 'uri'
require 'rack/utils'
@@ -161,10 +160,14 @@
# Exception class raised when :csrf_failure option is :raise and
# a valid CSRF token was not provided.
class InvalidToken < RodaError; end
+ def self.load_dependencies(app, opts=OPTS)
+ app.plugin :_base64
+ end
+
def self.configure(app, opts=OPTS, &block)
options = app.opts[:route_csrf] = (app.opts[:route_csrf] || DEFAULTS).merge(opts)
if block || opts[:csrf_failure].is_a?(Proc)
if block && opts[:csrf_failure]
raise RodaError, "Cannot specify both route_csrf plugin block and :csrf_failure option"
@@ -258,11 +261,11 @@
# be assumed. To generate a token for a non-POST request method, pass the
# method as the second argument.
def csrf_token(path=nil, method=('POST' if path))
token = SecureRandom.random_bytes(31)
token << csrf_hmac(token, method, path)
- Base64.strict_encode64(token)
+ [token].pack("m0")
end
# Whether request-specific CSRF tokens should be used by default.
def use_request_specific_csrf_tokens?
csrf_options[:require_request_specific_tokens]
@@ -312,11 +315,11 @@
unless encoded_token.bytesize == 84
return "encoded token length is not 84"
end
begin
- submitted_hmac = Base64.strict_decode64(encoded_token)
+ submitted_hmac = Base64_.decode64(encoded_token)
rescue ArgumentError
return "encoded token is not valid base64"
end
random_data = submitted_hmac.slice!(0...31)
@@ -352,10 +355,10 @@
# If a secret has not already been specified, generate a random 32-byte
# secret, stored base64 encoded in the session (to handle cases where
# JSON is used for session serialization).
def csrf_secret
key = session[csrf_options[:key]] ||= SecureRandom.base64(32)
- Base64.strict_decode64(key)
+ Base64_.decode64(key)
end
end
end
register_plugin(:route_csrf, RouteCsrf)