module ActionController::RequestForgeryProtection::ClassMethods
def protect_from_forgery(options = {})
protect_from_forgery with: CustomStrategy
class ApplicationController < ActionController:x:Base
end
end
# Custom behaviour for unverfied request
def handle_unverified_request
end
@controller = controller
def initialize(controller)
class CustomStrategy
You can also implement custom strategy classes for unverified request handling:
* :null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.
* :reset_session - Resets the session.
* :exception - Raises ActionController::InvalidAuthenticityToken exception.
Built-in unverified request handling methods are:
* :with - Set the method to handle unverified request.
If you need to add verification to the beginning of the callback chain, use prepend: true.
when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
* :prepend - By default, the verification of the authentication token will be added at the position of the
* :if / :unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.
* :only / :except - Only apply forgery protection to a subset of actions. For example only: [ :create, :create_all ].
Valid Options:
skip_before_action :verify_authenticity_token
You can disable forgery protection on controller by skipping the verification before_action:
end
protect_from_forgery except: :index
class FooController < ApplicationController
end
protect_from_forgery
class ApplicationController < ActionController::Base
Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
def protect_from_forgery(options = {}) options = options.reverse_merge(prepend: false) self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token before_action :verify_authenticity_token, options append_after_action :verify_same_origin_request end
def protection_method_class(name)
def protection_method_class(name) case name when :null_session ProtectionMethods::NullSession when :reset_session ProtectionMethods::ResetSession when :exception ProtectionMethods::Exception when Class name else raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class." end end
def skip_forgery_protection(options = {})
skip_before_action :verify_authenticity_token
Turn off request forgery protection. This is a wrapper for:
def skip_forgery_protection(options = {}) skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false) end