omniauth--omniauth/lib/omniauth/authenticity_token_protection.rb

require 'rack-protection'

module OmniAuth
  class AuthenticityError < StandardError; end
  class AuthenticityTokenProtection < Rack::Protection::AuthenticityToken
    def initialize(options = {})
      @options = default_options.merge(options)
    end

    def self.call(env)
      new.call!(env)
    end

    def call!(env)
      return if accepts?(env)

      instrument env
      react env
    end

    alias_method :call, :call!

  private

    def deny(_env)
      OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")
      raise AuthenticityError.new(options[:message])
    end

    alias default_reaction deny
  end
end
Add cross site protection via rack-protection 2020-12-02 22:16:51 -05:00			`require 'rack-protection'`

			`module OmniAuth`
			`class AuthenticityError < StandardError; end`
			`class AuthenticityTokenProtection < Rack::Protection::AuthenticityToken`
			`def initialize(options = {})`
			`@options = default_options.merge(options)`
			`end`

			`def self.call(env)`
			`new.call!(env)`
			`end`

			`def call!(env)`
			`return if accepts?(env)`

			`instrument env`
			`react env`
			`end`

Allow OmniAuthAuthenticityTokenProtection options to be configured This will be useful for disabling csrf protection in test suites or configuring the csrf key when the next version of rack-protection is released. 2021-01-16 15:40:44 -05:00			`alias_method :call, :call!`

Add cross site protection via rack-protection 2020-12-02 22:16:51 -05:00			`private`

			`def deny(_env)`
			`OmniAuth.logger.send(:warn, "Attack prevented by #{self.class}")`
			`raise AuthenticityError.new(options[:message])`
			`end`

			`alias default_reaction deny`
			`end`
			`end`