This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def call_external_api | |
rescue | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# FactoryGirl's #build_stubbed method can often be used in place of #create, and will increase the speed of your test suite | |
# Source: https://robots.thoughtbot.com/use-factory-girls-build-stubbed-for-a-faster-test | |
# | |
# You can run this cop to find usages of #create in your spec suite... | |
# rubocop --require ./do_you_really_need_create_cop.rb --only FactoryGirl/DoYouReallyNeedCreate spec/ | |
# | |
# ... then, you can use the --auto-correct flag to have RuboCop automatically replace #create with #build_stubbed: | |
# rubocop --require ./do_you_really_need_create_cop.rb --only FactoryGirl/DoYouReallyNeedCreate --auto-correct spec/ | |
# | |
module RuboCop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def compare_with_real_token(token, session) # :doc: | |
ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session)) | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def unmask_token(masked_token) # :doc: | |
one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH] | |
encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1] | |
xor_byte_strings(one_time_pad, encrypted_csrf_token) | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def valid_authenticity_token?(session, encoded_masked_token) # :doc: | |
# ... | |
begin | |
masked_token = Base64.strict_decode64(encoded_masked_token) | |
rescue ArgumentError # encoded_masked_token is invalid Base64 | |
return false | |
end | |
if masked_token.length == AUTHENTICITY_TOKEN_LENGTH |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def any_authenticity_token_valid? # :doc: | |
request_authenticity_tokens.any? do |token| | |
valid_authenticity_token?(session, token) | |
end | |
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
def verify_authenticity_token # :doc: | |
# ... | |
if !verified_request? | |
# handle errors ... | |
end | |
end | |
# ... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<meta name="csrf-param" content="authenticity_token" /> | |
<meta name="csrf-token" content="vtaJFQ38doX0b7wQpp0G3H7aUk9HZQni3jHET4yS8nSJRt85Tr6oH7nroQc01dM+C/dlDwt5xPff5LwyZcggeg==" /> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH) | |
encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token) | |
masked_token = one_time_pad + encrypted_csrf_token | |
Base64.strict_encode64(masked_token) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
def real_csrf_token(session) # :doc: | |
session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH) | |
Base64.strict_decode64(session[:_csrf_token]) | |
end |