gitlab-org--gitlab-foss/lib/gitlab/request_forgery_protection.rb

40 lines
1 KiB
Ruby
Raw Normal View History

2017-06-21 02:52:54 -04:00
# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)
2017-06-22 01:19:14 -04:00
module Gitlab
2015-12-08 08:41:19 -05:00
module RequestForgeryProtection
class Controller < ActionController::Base
protect_from_forgery with: :exception, prepend: true
rescue_from ActionController::InvalidAuthenticityToken do |e|
logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"
logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"
raise e
end
2015-12-08 08:41:19 -05:00
def index
head :ok
end
end
2015-12-08 08:41:19 -05:00
def self.app
@app ||= Controller.action(:index)
end
2015-12-08 08:41:19 -05:00
def self.call(env)
app.call(env)
end
def self.verified?(env)
call(env)
true
rescue ActionController::InvalidAuthenticityToken
false
end
end
end