module UnifiedCsrfPrevention::Core

Low-level routines and constants See github.com/xing/cross-application-csrf-prevention#low-level-implementation-details

Constants

TOKEN_RACK_ENV_VAR

Public Class Methods

checksum_for(token) click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 25
def checksum_for(token)
  digest_algorithm = OpenSSL::Digest::SHA256.new
  token_digest = OpenSSL::HMAC.digest(digest_algorithm, shared_secret_key, token)
  encode(token_digest)
end
generate_token() click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 19
def generate_token
  random_bytes_needed = (ActionController::Base::AUTHENTICITY_TOKEN_LENGTH * 0.75).ceil # Base 64 requires four bytes to store three bytes of data
  random_bytes = SecureRandom.random_bytes(random_bytes_needed)
  encode(random_bytes)[0...ActionController::Base::AUTHENTICITY_TOKEN_LENGTH]
end
valid_token?(token, checksum) click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 31
def valid_token?(token, checksum)
  !token.nil? && !checksum.nil? && ActiveSupport::SecurityUtils.secure_compare(checksum_for(token), checksum)
end

Private Class Methods

encode(binary_string) click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 43
def encode(binary_string)
  Base64.urlsafe_encode64(binary_string, padding: false)
end
shared_secret_key() click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 37
def shared_secret_key
  Rails.configuration.unified_csrf_prevention_key
rescue NoMethodError
  raise UnifiedCsrfPrevention::ConfigurationError, 'Configuration setting `unified_csrf_prevention_key` is not defined'
end