instance method
valid_authenticity_token?
Ruby on Rails 6.1.7.10
Since v5.2.8.1 PrivateSignature
valid_authenticity_token?(session, encoded_masked_token)Checks the client’s masked token to see if it matches the session token. Essentially the inverse of masked_authenticity_token.
Parameters
-
sessionreq -
encoded_masked_tokenreq
Source
# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 330
def valid_authenticity_token?(session, encoded_masked_token) # :doc:
if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
return false
end
begin
masked_token = decode_csrf_token(encoded_masked_token)
rescue ArgumentError # encoded_masked_token is invalid Base64
return false
end
# See if it's actually a masked token or not. In order to
# deploy this code, we should be able to handle any unmasked
# tokens that we've issued without error.
if masked_token.length == AUTHENTICITY_TOKEN_LENGTH
# This is actually an unmasked token. This is expected if
# you have just upgraded to masked tokens, but should stop
# happening shortly after installing this gem.
compare_with_real_token masked_token, session
elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
csrf_token = unmask_token(masked_token)
compare_with_global_token(csrf_token, session) ||
compare_with_real_token(csrf_token, session) ||
valid_per_form_csrf_token?(csrf_token, session)
else
false # Token is malformed.
end
end
Defined in actionpack/lib/action_controller/metal/request_forgery_protection.rb line 330
· View on GitHub
· Improve this page
· Find usages on GitHub
Defined in ActionController::RequestForgeryProtection