demarches-normaliennes/app/controllers/application_controller/long_lived_authenticity_token.rb
2024-08-22 09:26:48 +02:00

48 lines
1.9 KiB
Ruby

# frozen_string_literal: true
module ApplicationController::LongLivedAuthenticityToken
extend ActiveSupport::Concern
COOKIE_NAME = :_csrf_token
# Override ActionController::RequestForgeryProtection#real_csrf_token with a
# version that reads from an external long-lived cookie (instead of reading from the session).
#
# See also:
# - The Architecture Documentation Record for this choice: docs/adr-csrf-forgery.md
# - The Rails issue: https://github.com/rails/rails/issues/21948
def real_csrf_token(session) # :doc:
# Read the CSRF token from the external long-lived cookie (or generate a new one)
#
# NB: For retro-compatibility with tokens created before this code was deployed,
# also try to read the token from the session.
csrf_token = cookies.signed[COOKIE_NAME] || session[:_csrf_token] || generate_csrf_token
# Write the (potentially new) token to an external long-lived cookie.
#
# NB: for forward-compatibility if we ever remove this code and revert back to session cookies,
# also write the token to the session.
cookies.signed[COOKIE_NAME] = {
value: csrf_token,
expires: 1.year.from_now,
httponly: true,
secure: Rails.env.production?
}
session[:_csrf_token] = csrf_token
decode_csrf_token(csrf_token)
end
end
# Clean-up the long-lived cookie if the winning strategy requests so.
# See:
# - devise-4.2.0/lib/devise/hooks/csrf_cleaner.rb
# - http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
Warden::Manager.after_authentication do |_record, warden, _options|
clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
warden.winning_strategy.clean_up_csrf?
if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
warden.cookies.delete(ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME)
end
end