blob: d5e80053772b91a79be7a79930ef70f40339d13d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# frozen_string_literal: true
# A module to check CSRF tokens in requests.
# It's used in API helpers and OmniAuth.
# Usage: GitLab::RequestForgeryProtection.call(env)
module Gitlab
module RequestForgeryProtection
# rubocop:disable Rails/ApplicationController
class Controller < ActionController::Base
protect_from_forgery with: :exception, prepend: true
def initialize
super
# Squelch noisy and unnecessary "Can't verify CSRF token authenticity." messages.
# X-Csrf-Token is only one authentication mechanism for API helpers.
self.logger = ActiveSupport::Logger.new(File::NULL)
end
def index
head :ok
end
end
def self.app
@app ||= Controller.action(:index)
end
def self.call(env)
app.call(env)
end
def self.verified?(env)
minimal_env = env.slice('REQUEST_METHOD', 'rack.session', 'HTTP_X_CSRF_TOKEN')
.merge('rack.input' => '')
call(minimal_env)
true
rescue ActionController::InvalidAuthenticityToken
false
end
# rubocop:enable Rails/ApplicationController
end
end
|