1 files changed, 39 insertions, 0 deletions

diff --git a/lib/gitlab/request_forgery_protection.rb b/lib/gitlab/request_forgery_protection.rb
new file mode 100644
index 00000000000..ccfe0d6bed3
--- /dev/null
+++ b/lib/gitlab/request_forgery_protection.rb
@@ -0,0 +1,39 @@
+# A module to check CSRF tokens in requests.
+# It's used in API helpers and OmniAuth.
+# Usage: GitLab::RequestForgeryProtection.call(env)
+
+module Gitlab
+  module RequestForgeryProtection
+    class Controller < ActionController::Base
+      protect_from_forgery with: :exception
+
+      rescue_from ActionController::InvalidAuthenticityToken do |e|
+        logger.warn "This CSRF token verification failure is handled internally by `GitLab::RequestForgeryProtection`"
+        logger.warn "Unlike the logs may suggest, this does not result in an actual 422 response to the user"
+        logger.warn "For API requests, the only effect is that `current_user` will be `nil` for the duration of the request"
+
+        raise e
+      end
+
+      def index
+        head :ok
+      end
+    end
+
+    def self.app
+      @app ||= Controller.action(:index)
+    end
+
+    def self.call(env)
+      app.call(env)
+    end
+
+    def self.verified?(env)
+      call(env)
+
+      true
+    rescue ActionController::InvalidAuthenticityToken
+      false
+    end
+  end
+end