Class: Brut::FrontEnd::CsrfProtector

Inherits:

Object

• Object
• Brut::FrontEnd::CsrfProtector

Defined in:

lib/brut/front_end/csrf_protector.rb

Overview

Base for custom logic around CSRF protection. Brut configures Rack::Protection::AuthenticityToken for all requests, and this happens early in the request. The idea is that no real POST should be missing a CSRF token. That said, there are times when it must be skipped, such as for webhooks. In that case, you can extend this class and configure it via Brut.container.override("csrf_protector", YourCustomCsrfProtector.new) in your App class' initializer.

Examples:

class CsrfProtector < Brut::FrontEnd::CsrfProtector
  def allowed?(env)
    !!env["PATH_INFO"].to_s.match?(/^\/webhooks\//)
  end
end
# Then, in app.rb
class App < Brut::Framework::App
  def id           = "some-id"
  def organization = "some-org"

  def initialize
    Brut.container.override("csrf_protector") do
      CsrfProtector.new
    end

    # ...

Instance Method Summary

• #allowed?(env) ⇒ Boolean

  Return true if the request should be allowed without a CSRF token.

Instance Method Details

#allowed?(env) ⇒ Boolean

Return true if the request should be allowed without a CSRF token. This implementation returns false.

Returns:

• (Boolean)

# File 'lib/brut/front_end/csrf_protector.rb', line 27

def allowed?(env)
  false
end