kotovalexarian-likes-github
/
heartcombo--devise
mirror of https://github.com/heartcombo/devise.git
1
0
Fork 0
Code Releases Activity
heartcombo--devise/lib/devise/hooks/csrf_cleaner.rb

16 lines
609 B
Ruby
Raw Normal View History

Add the frozen_string_literal pragma comment to all Ruby files. (#4725)
2017-12-21 17:36:29 +00:00
# frozen_string_literal: true
Protect against CSRF token fixation attacks
2013-08-02 21:13:15 +00:00
Warden::Manager.after_authentication do |record, warden, options|
* Allows CSRF cleanup to be turned off for certain strategy types * Defaults Authenticatable CSRF cleanup
2014-05-09 20:48:52 +00:00
clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
warden.winning_strategy.clean_up_csrf?
if Devise.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
Fix csrf cleanup for Rails 7.1 (main) Rails implemented a CSRF token storage strategy to allow storing the CSRF tokens outside of the sessios (for example, in an encrypted cookie), and changed how the value is kept around during the request cycle, by using a request.env value. We still want to ensure the final session value is cleaned correctly in the test, but the implementation needed to change since we can't simply delete from the session anymore, we need to make sure we call the Rails methods for resetting the current storage strategy so it works with all of them. https://github.com/rails/rails/pull/44283
2022-04-22 13:41:01 +00:00
request = warden.request
if request.respond_to?(:controller_instance) && request.controller_instance.respond_to?(:reset_csrf_token)
# Rails 7.1+
request.controller_instance.reset_csrf_token(request)
else
request.session.try(:delete, :_csrf_token)
end
Protect against CSRF token fixation attacks
2013-08-02 21:13:15 +00:00
end
end