45 lines
1.8 KiB
Ruby
45 lines
1.8 KiB
Ruby
module ApplicationController::LongLivedAuthenticityToken
|
|
extend ActiveSupport::Concern
|
|
|
|
COOKIE_NAME = :_csrf_token
|
|
|
|
# Override ActionController::RequestForgeryProtection#real_csrf_token with a
|
|
# version that reads from an external long-lived cookie (instead of reading from the session).
|
|
#
|
|
# See also:
|
|
# - The Architecture Documentation Record for this choice: docs/adr-csrf-forgery.md
|
|
# - The Rails issue: https://github.com/rails/rails/issues/21948
|
|
def real_csrf_token(session) # :doc:
|
|
# Read the CSRF token from the external long-lived cookie (or generate a new one)
|
|
#
|
|
# NB: For retro-compatibility with tokens created before this code was deployed,
|
|
# also try to read the token from the session.
|
|
|
|
csrf_token = cookies.signed[COOKIE_NAME] || session[:_csrf_token] || generate_csrf_token
|
|
|
|
# Write the (potentially new) token to an external long-lived cookie.
|
|
#
|
|
# NB: for forward-compatibility if we ever remove this code and revert back to session cookies,
|
|
# also write the token to the session.
|
|
cookies.signed[COOKIE_NAME] = {
|
|
value: csrf_token,
|
|
expires: 1.year.from_now,
|
|
httponly: true
|
|
}
|
|
session[:_csrf_token] = csrf_token
|
|
|
|
decode_csrf_token(csrf_token)
|
|
end
|
|
end
|
|
|
|
# Clean-up the long-lived cookie if the winning strategy requests so.
|
|
# See:
|
|
# - devise-4.2.0/lib/devise/hooks/csrf_cleaner.rb
|
|
# - http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
|
|
Warden::Manager.after_authentication do |_record, warden, _options|
|
|
clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
|
|
warden.winning_strategy.clean_up_csrf?
|
|
if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
|
|
warden.cookies.delete(ApplicationController::LongLivedAuthenticityToken::COOKIE_NAME)
|
|
end
|
|
end
|