class Rack::Protection::AuthenticityToken

authenticity_param: Defines the param’s name that should contain the token on a request. Options: Compatible with rack-csrf. included in the session. Only accepts unsafe HTTP requests if a given access token matches the token More infos

en.wikipedia.org/wiki/Cross-site_request_forgery<br>Supported browsers

all Prevented attack: CSRF
#

def self.random_token

def self.random_token
  SecureRandom.base64(TOKEN_LENGTH)
end

def self.token(session)

def self.token(session)
  self.new(nil).mask_authenticity_token(session)
end

def accepts?(env)

def accepts?(env)
  session = session env
  set_token(session)
  safe?(env) ||
    valid_token?(session, env['HTTP_X_CSRF_TOKEN']) ||
    valid_token?(session, Request.new(env).params[options[:authenticity_param]]) ||
    ( options[:allow_if] && options[:allow_if].call(env) )
end

def compare_with_real_token(token, session)

def compare_with_real_token(token, session)
  secure_compare(token, real_token(session))
end

def decode_token(token)

def decode_token(token)
  Base64.strict_decode64(token)
end

def encode_token(token)

def encode_token(token)
  Base64.strict_encode64(token)
end

def mask_authenticity_token(session)

def mask_authenticity_token(session)
  token = set_token(session)
  mask_token(token)
end

def mask_token(token)

like BREACH.
on each request. The masking is used to mitigate SSL attacks
Creates a masked version of the authenticity token that varies

def mask_token(token)
  token = decode_token(token)
  one_time_pad = SecureRandom.random_bytes(token.length)
  encrypted_token = xor_byte_strings(one_time_pad, token)
  masked_token = one_time_pad + encrypted_token
  encode_token(masked_token)
end

def masked_token?(token)

def masked_token?(token)
  token.length == TOKEN_LENGTH * 2
end

def real_token(session)

def real_token(session)
  decode_token(session[:csrf])
end

def set_token(session)

def set_token(session)
  session[:csrf] ||= self.class.random_token
end

def unmask_token(masked_token)

Essentially the inverse of +mask_token+.

def unmask_token(masked_token)
  # Split the token into the one-time pad and the encrypted
  # value and decrypt it
  token_length = masked_token.length / 2
  one_time_pad = masked_token[0...token_length]
  encrypted_token = masked_token[token_length..-1]
  xor_byte_strings(one_time_pad, encrypted_token)
end

def unmasked_token?(token)

def unmasked_token?(token)
  token.length == TOKEN_LENGTH
end

def valid_token?(session, token)

session token.
Checks the client's masked token to see if it matches the

def valid_token?(session, token)
  return false if token.nil? || token.empty?
  begin
    token = decode_token(token)
  rescue ArgumentError # encoded_masked_token is invalid Base64
    return false
  end
  # See if it's actually a masked token or not. We should be able
  # to handle any unmasked tokens that we've issued without error.
  if unmasked_token?(token)
    compare_with_real_token token, session
  elsif masked_token?(token)
    token = unmask_token(token)
    compare_with_real_token token, session
  else
    false # Token is malformed
  end
end

def xor_byte_strings(s1, s2)

def xor_byte_strings(s1, s2)
  s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end

Modules

Classes