mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 02:53:39 +08:00
750802bf56
This displays more useful messages for the most common issues we see: - CSRF (when the user switches browser) - Invalid IAT (when the server clock is wrong) - OAuth::Unauthorized for OAuth1 providers, when the credentials are incorrect This commit also stops earlier for disabled authenticators. Now we stop at the request phase, rather than the callback phase.
31 lines
712 B
Ruby
31 lines
712 B
Ruby
# frozen_string_literal: true
|
|
|
|
# Provides a way to check a CSRF token outside of a controller
|
|
class CSRFTokenVerifier
|
|
class InvalidCSRFToken < StandardError; end
|
|
|
|
include ActiveSupport::Configurable
|
|
include ActionController::RequestForgeryProtection
|
|
|
|
# Use config from ActionController::Base
|
|
config.each_key do |configuration_name|
|
|
undef_method configuration_name
|
|
define_method configuration_name do
|
|
ActionController::Base.config[configuration_name]
|
|
end
|
|
end
|
|
|
|
def call(env)
|
|
@request = ActionDispatch::Request.new(env.dup)
|
|
|
|
unless verified_request?
|
|
raise InvalidCSRFToken
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
attr_reader :request
|
|
delegate :params, :session, to: :request
|
|
end
|