2017-06-21 02:52:54 -04:00
|
|
|
# A module to check CSRF tokens in requests.
|
|
|
|
# It's used in API helpers and OmniAuth.
|
|
|
|
# Usage: GitLab::RequestForgeryProtection.call(env)
|
2015-04-24 11:03:18 -04:00
|
|
|
|
2017-06-22 01:19:14 -04:00
|
|
|
module Gitlab
|
2015-12-08 08:41:19 -05:00
|
|
|
module RequestForgeryProtection
|
|
|
|
class Controller < ActionController::Base
|
2018-06-21 06:44:31 -04:00
|
|
|
protect_from_forgery with: :exception, prepend: true
|
2015-04-24 11:03:18 -04:00
|
|
|
|
2017-07-28 09:39:39 -04:00
|
|
|
rescue_from ActionController::InvalidAuthenticityToken do |e|
|
|
|
|
logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
|
|
|
|
logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"
|
|
|
|
logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"
|
|
|
|
|
|
|
|
raise e
|
|
|
|
end
|
|
|
|
|
2015-12-08 08:41:19 -05:00
|
|
|
def index
|
|
|
|
head :ok
|
2015-04-24 11:03:18 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-12-08 08:41:19 -05:00
|
|
|
def self.app
|
|
|
|
@app ||= Controller.action(:index)
|
2015-04-24 11:03:18 -04:00
|
|
|
end
|
|
|
|
|
2015-12-08 08:41:19 -05:00
|
|
|
def self.call(env)
|
|
|
|
app.call(env)
|
2015-04-24 11:03:18 -04:00
|
|
|
end
|
2017-07-26 05:25:10 -04:00
|
|
|
|
|
|
|
def self.verified?(env)
|
|
|
|
call(env)
|
|
|
|
|
|
|
|
true
|
|
|
|
rescue ActionController::InvalidAuthenticityToken
|
|
|
|
false
|
|
|
|
end
|
2015-04-24 11:03:18 -04:00
|
|
|
end
|
|
|
|
end
|