DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

app: use a long-lived cookie for CSRF token

Browse source 
See the ADR document for rationale.
This commit is contained in:
Pierre de La Morinerie 2021-07-06 14:29:23 +00:00
parent 446c57ed63
commit 831672391e
5 changed files with 280 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

45
app/controllers/application_controller/long_lived_authenticity_token.rb Normal file
View file

@ -0,0 +1,45 @@
module ApplicationController::LongLivedAuthenticityToken
extend ActiveSupport::Concern
COOKIE_NAME = :_csrf_token
# Override ActionController::RequestForgeryProtection#real_csrf_token with a
# version that reads from an external long-lived cookie (instead of reading from the session).
#
# See also:
# - The Architecture Documentation Record for this choice: docs/adr-csrf-forgery.md
# - The Rails issue: https://github.com/rails/rails/issues/21948
def real_csrf_token(session) # :doc:
# Read the CSRF token from the external long-lived cookie (or generate a new one)
#
# NB: For retro-compatibility with tokens created before this code was deployed,
# also try to read the token from the session.
csrf_token = cookies.signed[COOKIE_NAME] || session[:_csrf_token] || generate_csrf_token
# Write the (potentially new) token to an external long-lived cookie.
#
# NB: for forward-compatibility if we ever remove this code and revert back to session cookies,
# also write the token to the session.
cookies.signed[COOKIE_NAME] = {
value: csrf_token,
expires: 1.year.from_now,
httponly: true
}
session[:_csrf_token] = csrf_token
decode_csrf_token(csrf_token)
end
end
# Clean-up the long-lived cookie if the winning strategy requests so.
# See:
# - devise-4.2.0/lib/devise/hooks/csrf_cleaner.rb
# - http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
Warden::Manager.after_authentication do |_record, warden, _options|
clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
warden.winning_strategy.clean_up_csrf?
if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
warden.cookies.delete(ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME)
end
end