discourse/lib/csrf_token_verifier.rb

# frozen_string_literal: true

# Provides a way to check a CSRF token outside of a controller
class CSRFTokenVerifier
  class InvalidCSRFToken < StandardError; end

  include ActiveSupport::Configurable
  include ActionController::RequestForgeryProtection

  # Use config from ActionController::Base
  config.each_key do |configuration_name|
    undef_method configuration_name
    define_method configuration_name do
      ActionController::Base.config[configuration_name]
    end
  end

  def call(env)
    @request = ActionDispatch::Request.new(env.dup)

    unless verified_request?
      raise InvalidCSRFToken
    end
  end

  public :form_authenticity_token

  private

  attr_reader :request
  delegate :params, :session, to: :request
end
SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 06:57:28 -04:00			`# frozen_string_literal: true`

			`# Provides a way to check a CSRF token outside of a controller`
			`class CSRFTokenVerifier`
UX: Improve error handling for common OmniAuth exceptions (#7991) This displays more useful messages for the most common issues we see: - CSRF (when the user switches browser) - Invalid IAT (when the server clock is wrong) - OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase. 2019-08-12 05:55:02 -04:00			`class InvalidCSRFToken < StandardError; end`

SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 06:57:28 -04:00			`include ActiveSupport::Configurable`
			`include ActionController::RequestForgeryProtection`

			`# Use config from ActionController::Base`
			`config.each_key do \|configuration_name\|`
			`undef_method configuration_name`
			`define_method configuration_name do`
			`ActionController::Base.config[configuration_name]`
			`end`
			`end`

			`def call(env)`
			`@request = ActionDispatch::Request.new(env.dup)`

			`unless verified_request?`
UX: Improve error handling for common OmniAuth exceptions (#7991) This displays more useful messages for the most common issues we see: - CSRF (when the user switches browser) - Invalid IAT (when the server clock is wrong) - OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase. 2019-08-12 05:55:02 -04:00			`raise InvalidCSRFToken`
SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 06:57:28 -04:00			`end`
			`end`

DEV: Provide method for auth plugins to generate a CSRF token 2019-08-12 20:13:08 -04:00			`public :form_authenticity_token`

SECURITY: Require POST with CSRF token for OmniAuth request phase 2019-08-08 06:57:28 -04:00			`private`

			`attr_reader :request`
			`delegate :params, :session, to: :request`
			`end`