module ActionController::RequestForgeryProtection

def form_authenticity_param

The form's authenticity parameter. Override to provide your own.

def form_authenticity_param
  params[request_forgery_protection_token]
end

def form_authenticity_token

Sets the token value for the current session.

def form_authenticity_token
  session[:_csrf_token] ||= SecureRandom.base64(32)
end

def handle_unverified_request

def handle_unverified_request
  forgery_protection_strategy.new(self).handle_unverified_request
end

def protect_against_forgery?

def protect_against_forgery?
  allow_forgery_protection
end

def verified_request?

* Does the X-CSRF-Token header match the form_authenticity_token
* Does the form_authenticity_token match the given token value from the params?
* is it a GET or HEAD request? Gets should be safe and idempotent

Returns true or false if a request is verified. Checks:

def verified_request?
  !protect_against_forgery? || request.get? || request.head? ||
    form_authenticity_token == params[request_forgery_protection_token] ||
    form_authenticity_token == request.headers['X-CSRF-Token']
end

def verify_authenticity_token

The actual before_action that is used. Modify this to change how you handle unverified requests.

def verify_authenticity_token
  unless verified_request?
    logger.warn "Can't verify CSRF token authenticity" if logger
    handle_unverified_request
  end
end

Modules

Instance Methods

Defined in

lib/action_controller/metal/request_forgery_protection.rb