Module ActionController::RequestForgeryProtection
In: vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb

Methods

Classes and Modules

Module ActionController::RequestForgeryProtection::ClassMethods

Public Class methods

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 6
 6:     def self.included(base)
 7:       base.class_eval do
 8:         helper_method :form_authenticity_token
 9:         helper_method :protect_against_forgery?
10:       end
11:       base.extend(ClassMethods)
12:     end

Protected Instance methods

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 95
95:       def form_authenticity_param
96:         params[request_forgery_protection_token]
97:       end

Sets the token value for the current session. Pass a :secret option in protect_from_forgery to add a custom salt to the hash.

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 105
105:       def form_authenticity_token
106:         session[:_csrf_token] ||= ActiveSupport::SecureRandom.base64(32)
107:       end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 109
109:       def protect_against_forgery?
110:         allow_forgery_protection && request_forgery_protection_token
111:       end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 99
 99:       def verifiable_request_format?
100:         !request.content_type.nil? && request.content_type.verify_request?
101:       end

Returns true or false if a request is verified. Checks:

  • is the format restricted? By default, only HTML requests are checked.
  • is it a GET request? Gets should be safe and idempotent
  • Does the form_authenticity_token match the given token value from the params?

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 87
87:       def verified_request?
88:         !protect_against_forgery?     ||
89:           request.method == :get      ||
90:           request.xhr?                ||
91:           !verifiable_request_format? ||
92:           form_authenticity_token == form_authenticity_param
93:       end

The actual before_filter that is used. Modify this to change how you handle unverified requests.

[Source]

    # File vendor/rails/actionpack/lib/action_controller/request_forgery_protection.rb, line 78
78:       def verify_authenticity_token
79:         verified_request? || raise(ActionController::InvalidAuthenticityToken)
80:       end

[Validate]