module UnifiedCsrfPrevention::Core
Low-level routines and constants See github.com/xing/cross-application-csrf-prevention#low-level-implementation-details
Constants
- CHECKSUM_COOKIE_NAME
- TOKEN_COOKIE_NAME
- TOKEN_RACK_ENV_VAR
Public Class Methods
checksum_for(token)
click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 25 def checksum_for(token) digest_algorithm = OpenSSL::Digest::SHA256.new token_digest = OpenSSL::HMAC.digest(digest_algorithm, shared_secret_key, token) encode(token_digest) end
generate_token()
click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 19 def generate_token random_bytes_needed = (ActionController::Base::AUTHENTICITY_TOKEN_LENGTH * 0.75).ceil # Base 64 requires four bytes to store three bytes of data random_bytes = SecureRandom.random_bytes(random_bytes_needed) encode(random_bytes)[0...ActionController::Base::AUTHENTICITY_TOKEN_LENGTH] end
valid_token?(token, checksum)
click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 31 def valid_token?(token, checksum) !token.nil? && !checksum.nil? && ActiveSupport::SecurityUtils.secure_compare(checksum_for(token), checksum) end
Private Class Methods
encode(binary_string)
click to toggle source
# File lib/unified_csrf_prevention/core.rb, line 43 def encode(binary_string) Base64.urlsafe_encode64(binary_string, padding: false) end