method

valid_authenticity_token?

Ruby on Rails latest stable (v6.1.7.7) - 0 notes - Class: ActionController::RequestForgeryProtection

1.0.0
1.1.6
1.2.6
2.0.3
2.1.0
2.2.1
2.3.8
3.0.0
3.0.9
3.1.0
3.2.1
3.2.8
3.2.13
4.0.2
4.1.8
4.2.1 (0)
4.2.7 (0)
4.2.9 (0)
5.0.0.1 (0)
5.1.7 (0)
5.2.3 (0)
6.0.0 (0)
6.1.3.1 (0)
6.1.7.7 (0)
7.0.0 (0)
7.1.3.2 (0)
What's this?

valid_authenticity_token?(session, encoded_masked_token) private

Checks the client’s masked token to see if it matches the session token. Essentially the inverse of masked_authenticity_token.

Show source

# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 330
      def valid_authenticity_token?(session, encoded_masked_token) # :doc:
        if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
          return false
        end

        begin
          masked_token = decode_csrf_token(encoded_masked_token)
        rescue ArgumentError # encoded_masked_token is invalid Base64
          return false
        end

        # See if it's actually a masked token or not. In order to
        # deploy this code, we should be able to handle any unmasked
        # tokens that we've issued without error.

        if masked_token.length == AUTHENTICITY_TOKEN_LENGTH
          # This is actually an unmasked token. This is expected if
          # you have just upgraded to masked tokens, but should stop
          # happening shortly after installing this gem.
          compare_with_real_token masked_token, session

        elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
          csrf_token = unmask_token(masked_token)

          compare_with_global_token(csrf_token, session) ||
            compare_with_real_token(csrf_token, session) ||
            valid_per_form_csrf_token?(csrf_token, session)
        else
          false # Token is malformed.
        end
      end

valid_authenticity_token?

Related methods

Flowdock - Team Inbox With Chat for Software Developers