module ActionController::RequestForgeryProtection::ClassMethods
def is_storage_strategy?(object)
def is_storage_strategy?(object) object.respond_to?(:fetch) && object.respond_to?(:store) && object.respond_to?(:reset) end
def protect_from_forgery(options = {})
protect_from_forgery store: CustomStore.new
class ApplicationController < ActionController::Base
end
end
# Delete the stored session token
def reset(request)
end
# Store the token in a custom location
def store(request, csrf_token)
end
# Return the token from a custom location
def fetch(request)
class CustomStore
You can also implement custom strategy classes for CSRF token storage:
* `:cookie` - Store the CSRF token in an encrypted cookie.
`:store` option is not specified.
* `:session` - Store the CSRF token in the session. Used as default if
Built-in session token strategies are:
* `:store` - Set the strategy to store and retrieve CSRF tokens.
end
protect_from_forgery with: CustomStrategy
class ApplicationController < ActionController::Base
end
end
# Custom behavior for unverfied request
def handle_unverified_request
end
@controller = controller
def initialize(controller)
class CustomStrategy
handling:
You can also implement custom strategy classes for unverified request
reset it completely. Used as default if `:with` option is not specified.
* `:null_session` - Provides an empty session during request but doesn't
* `:reset_session` - Resets the session.
exception.
* `:exception` - Raises ActionController::InvalidAuthenticityToken
Built-in unverified request handling methods are:
with `with :exception`.
`default_protect_from_forgery` is true, Rails call protect_from_forgery
* `:with` - Set the method to handle unverified request. Note if
use `prepend: true`.
If you need to add verification to the beginning of the callback chain,
like authentication methods (Oauth vs Cookie auth).
useful when you want your forgery protection to depend on other callbacks,
application. This means any callbacks added before are run first. This is
be added at the position of the protect_from_forgery call in your
* `:prepend` - By default, the verification of the authentication token will
the passed Proc or method reference.
* `:if` / `:unless` - Turn off the forgery protection entirely depending on
actions. For example `only: [ :create, :create_all ]`.
* `:only` / `:except` - Only apply forgery protection to a subset of
Valid Options:
end
skip_forgery_protection
class BarController < ApplicationController
skip_forgery_protection:
You can disable forgery protection on a controller using
end
protect_from_forgery except: :index
class FooController < ApplicationController
end
protect_from_forgery
class ApplicationController < ActionController::Base
are not checked.
Turn on request forgery protection. Bear in mind that GET and HEAD requests
def protect_from_forgery(options = {}) options = options.reverse_merge(prepend: false) self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token self.csrf_token_storage_strategy = storage_strategy(options[:store] || SessionStore.new) before_action :verify_authenticity_token, options append_after_action :verify_same_origin_request end
def protection_method_class(name)
def protection_method_class(name) case name when :null_session ProtectionMethods::NullSession when :reset_session ProtectionMethods::ResetSession when :exception ProtectionMethods::Exception when Class name else raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class." end end
def skip_forgery_protection(options = {})
skip_before_action :verify_authenticity_token
Turn off request forgery protection. This is a wrapper for:
def skip_forgery_protection(options = {}) skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false) end
def storage_strategy(name)
def storage_strategy(name) case name when :session SessionStore.new when :cookie CookieStore.new(:csrf_token) else return name if is_storage_strategy?(name) raise ArgumentError, "Invalid CSRF token storage strategy, use :session, :cookie, or a custom CSRF token storage class." end end