module ActionController::RequestForgeryProtection::ClassMethods
def is_storage_strategy?(object)
def is_storage_strategy?(object) object.respond_to?(:fetch) && object.respond_to?(:store) && object.respond_to?(:reset) end
def protect_from_forgery(options = {})
protect_from_forgery store: CustomStore.new
class ApplicationController < ActionController::Base
end
end
# Delete the stored session token
def reset(request)
end
# Store the token in a custom location
def store(request, csrf_token)
end
# Return the token from a custom location
def fetch(request)
class CustomStore
You can also implement custom strategy classes for CSRF token storage:
* :cookie - Store the CSRF token in an encrypted cookie.
* :session - Store the CSRF token in the session. Used as default if :store option is not specified.
Built-in session token strategies are:
* :store - Set the strategy to store and retrieve CSRF tokens.
end
protect_from_forgery with: CustomStrategy
class ApplicationController < ActionController::Base
end
end
# Custom behavior for unverfied request
def handle_unverified_request
end
@controller = controller
def initialize(controller)
class CustomStrategy
You can also implement custom strategy classes for unverified request handling:
* :null_session - Provides an empty session during request but doesn't reset it completely. Used as default if :with option is not specified.
* :reset_session - Resets the session.
* :exception - Raises ActionController::InvalidAuthenticityToken exception.
Built-in unverified request handling methods are:
Note if default_protect_from_forgery is true, Rails call protect_from_forgery with with :exception.
* :with - Set the method to handle unverified request.
If you need to add verification to the beginning of the callback chain, use prepend: true.
when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
* :prepend - By default, the verification of the authentication token will be added at the position of the
* :if / :unless - Turn off the forgery protection entirely depending on the passed Proc or method reference.
* :only / :except - Only apply forgery protection to a subset of actions. For example only: [ :create, :create_all ].
Valid Options:
end
skip_forgery_protection
class BarController < ApplicationController
You can disable forgery protection on a controller using skip_forgery_protection:
end
protect_from_forgery except: :index
class FooController < ApplicationController
end
protect_from_forgery
class ApplicationController < ActionController::Base
Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
def protect_from_forgery(options = {}) options = options.reverse_merge(prepend: false) self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token self.csrf_token_storage_strategy = storage_strategy(options[:store] || SessionStore.new) before_action :verify_authenticity_token, options append_after_action :verify_same_origin_request end
def protection_method_class(name)
def protection_method_class(name) case name when :null_session ProtectionMethods::NullSession when :reset_session ProtectionMethods::ResetSession when :exception ProtectionMethods::Exception when Class name else raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class." end end
def skip_forgery_protection(options = {})
skip_before_action :verify_authenticity_token
Turn off request forgery protection. This is a wrapper for:
def skip_forgery_protection(options = {}) skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false) end
def storage_strategy(name)
def storage_strategy(name) case name when :session SessionStore.new when :cookie CookieStore.new(:csrf_token) else return name if is_storage_strategy?(name) raise ArgumentError, "Invalid CSRF token storage strategy, use :session, :cookie, or a custom CSRF token storage class." end end