module ApplicationController::LongLivedAuthenticityToken
  extend ActiveSupport::Concern

  COOKIE_NAME = :_csrf_token

  # Override ActionController::RequestForgeryProtection#real_csrf_token with a
  # version that reads from an external long-lived cookie (instead of reading from the session).
  #
  # See also:
  # - The Architecture Documentation Record for this choice: docs/adr-csrf-forgery.md
  # - The Rails issue: https://github.com/rails/rails/issues/21948
  def real_csrf_token(session) # :doc:
    # Read the CSRF token from the external long-lived cookie (or generate a new one)
    #
    # NB: For retro-compatibility with tokens created before this code was deployed,
    # also try to read the token from the session.

    csrf_token = cookies.signed[COOKIE_NAME] || session[:_csrf_token] || generate_csrf_token

    # Write the (potentially new) token to an external long-lived cookie.
    #
    # NB: for forward-compatibility if we ever remove this code and revert back to session cookies,
    # also write the token to the session.
    cookies.signed[COOKIE_NAME] = {
      value: csrf_token,
      expires: 1.year.from_now,
      httponly: true
    }
    session[:_csrf_token] = csrf_token

    decode_csrf_token(csrf_token)
  end
end

# Clean-up the long-lived cookie if the winning strategy requests so.
# See:
# - devise-4.2.0/lib/devise/hooks/csrf_cleaner.rb
# - http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
Warden::Manager.after_authentication do |_record, warden, _options|
  clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
    warden.winning_strategy.clean_up_csrf?
  if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
    warden.cookies.delete(ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME)
  end
end