method

valid_authenticity_token?

v8.0.0 - Show latest stable - 0 notes - Class: ActionController::RequestForgeryProtection

1.0.0
1.1.6
1.2.6
2.0.3
2.1.0
2.2.1
2.3.8
3.0.0
3.0.9
3.1.0
3.2.1
3.2.8
3.2.13
4.0.2
4.1.8
4.2.1 (0)
4.2.7 (0)
4.2.9 (0)
5.0.0.1 (0)
5.1.7 (0)
5.2.3 (0)
6.0.0 (0)
6.1.3.1 (0)
6.1.7.7 (0)
7.0.0 (0)
7.1.3.2 (0)
7.1.3.4 (0)
7.2.3 (0)
8.0.0 (0)
8.1.1 (0)
What's this?

valid_authenticity_token?(session, encoded_masked_token) private

Checks the client’s masked token to see if it matches the session token. Essentially the inverse of `masked_authenticity_token`.

Show source

# File actionpack/lib/action_controller/metal/request_forgery_protection.rb, line 500
      def valid_authenticity_token?(session, encoded_masked_token) # :doc:
        if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
          return false
        end

        begin
          masked_token = decode_csrf_token(encoded_masked_token)
        rescue ArgumentError # encoded_masked_token is invalid Base64
          return false
        end

        # See if it's actually a masked token or not. In order to deploy this code, we
        # should be able to handle any unmasked tokens that we've issued without error.

        if masked_token.length == AUTHENTICITY_TOKEN_LENGTH
          # This is actually an unmasked token. This is expected if you have just upgraded
          # to masked tokens, but should stop happening shortly after installing this gem.
          compare_with_real_token masked_token

        elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
          csrf_token = unmask_token(masked_token)

          compare_with_global_token(csrf_token) ||
            compare_with_real_token(csrf_token) ||
            valid_per_form_csrf_token?(csrf_token)
        else
          false # Token is malformed.
        end
      end

valid_authenticity_token?

Related methods