Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CSRF on Grape
# based on http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
module Auth
extend ActiveSupport::Concern
included do
helpers do
def session
env['rack.session']
end
def protect_against_forgery
unless verified_request?
error!('Unauthorized', 401)
end
end
def verified_request?
!protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == request.headers['X-CSRF-Token'] ||
form_authenticity_token == request.headers['X-Csrf-Token']
end
def form_authenticity_token
session[:_csrf_token] ||= SecureRandom.base64(32)
end
def protect_against_forgery?
allow_forgery_protection = Rails.configuration.action_controller.allow_forgery_protection
allow_forgery_protection.nil? || allow_forgery_protection
end
end
end
end
class Controller < Grape::API
include Auth
before do
protect_against_forgery
end
resource :something do
...
end
end
@cyrill62

This comment has been minimized.

Copy link

commented Dec 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.