actionpack 6.0.0

data/lib/action_controller/metal/redirecting.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+module ActionController
+  module Redirecting
+    extend ActiveSupport::Concern
+
+    include AbstractController::Logger
+    include ActionController::UrlFor
+
+    # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+    #
+    # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
+    # * <tt>Record</tt> - The URL will be generated by calling url_for with the +options+, which will reference a named URL for that record.
+    # * <tt>String</tt> starting with <tt>protocol://</tt> (like <tt>http://</tt>) or a protocol relative reference (like <tt>//</tt>) - Is passed straight through as the target for redirection.
+    # * <tt>String</tt> not containing a protocol - The current protocol and host is prepended to the string.
+    # * <tt>Proc</tt> - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+.
+    #
+    # === Examples:
+    #
+    #   redirect_to action: "show", id: 5
+    #   redirect_to @post
+    #   redirect_to "http://www.rubyonrails.org"
+    #   redirect_to "/images/screenshot.jpg"
+    #   redirect_to posts_url
+    #   redirect_to proc { edit_post_url(@post) }
+    #
+    # The redirection happens as a <tt>302 Found</tt> header unless otherwise specified using the <tt>:status</tt> option:
+    #
+    #   redirect_to post_url(@post), status: :found
+    #   redirect_to action: 'atom', status: :moved_permanently
+    #   redirect_to post_url(@post), status: 301
+    #   redirect_to action: 'atom', status: 302
+    #
+    # The status code can either be a standard {HTTP Status code}[https://www.iana.org/assignments/http-status-codes] as an
+    # integer, or a symbol representing the downcased, underscored and symbolized description.
+    # Note that the status code must be a 3xx HTTP code, or redirection will not occur.
+    #
+    # If you are using XHR requests other than GET or POST and redirecting after the
+    # request then some browsers will follow the redirect using the original request
+    # method. This may lead to undesirable behavior such as a double DELETE. To work
+    # around this you can return a <tt>303 See Other</tt> status code which will be
+    # followed using a GET request.
+    #
+    #   redirect_to posts_url, status: :see_other
+    #   redirect_to action: 'index', status: 303
+    #
+    # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
+    # +alert+ and +notice+ as well as a general purpose +flash+ bucket.
+    #
+    #   redirect_to post_url(@post), alert: "Watch it, mister!"
+    #   redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
+    #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
+    #   redirect_to({ action: 'atom' }, alert: "Something serious happened")
+    #
+    # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
+    # To terminate the execution of the function immediately after the +redirect_to+, use return.
+    #   redirect_to post_url(@post) and return
+    def redirect_to(options = {}, response_options = {})
+      raise ActionControllerError.new("Cannot redirect to nil!") unless options
+      raise AbstractController::DoubleRenderError if response_body
+
+      self.status        = _extract_redirect_to_status(options, response_options)
+      self.location      = _compute_redirect_to_location(request, options)
+      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+    end
+
+    # Redirects the browser to the page that issued the request (the referrer)
+    # if possible, otherwise redirects to the provided default fallback
+    # location.
+    #
+    # The referrer information is pulled from the HTTP +Referer+ (sic) header on
+    # the request. This is an optional header and its presence on the request is
+    # subject to browser security settings and user preferences. If the request
+    # is missing this header, the <tt>fallback_location</tt> will be used.
+    #
+    #   redirect_back fallback_location: { action: "show", id: 5 }
+    #   redirect_back fallback_location: @post
+    #   redirect_back fallback_location: "http://www.rubyonrails.org"
+    #   redirect_back fallback_location: "/images/screenshot.jpg"
+    #   redirect_back fallback_location: posts_url
+    #   redirect_back fallback_location: proc { edit_post_url(@post) }
+    #   redirect_back fallback_location: '/', allow_other_host: false
+    #
+    # ==== Options
+    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing +Referer+ header.
+    # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
+    #
+    # All other options that can be passed to <tt>redirect_to</tt> are accepted as
+    # options and the behavior is identical.
+    def redirect_back(fallback_location:, allow_other_host: true, **args)
+      referer = request.headers["Referer"]
+      redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
+      redirect_to redirect_to_referer ? referer : fallback_location, **args
+    end
+
+    def _compute_redirect_to_location(request, options) #:nodoc:
+      case options
+      # The scheme name consist of a letter followed by any combination of
+      # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
+      # characters; and is terminated by a colon (":").
+      # See https://tools.ietf.org/html/rfc3986#section-3.1
+      # The protocol relative scheme starts with a double slash "//".
+      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
+        options
+      when String
+        request.protocol + request.host_with_port + options
+      when Proc
+        _compute_redirect_to_location request, instance_eval(&options)
+      else
+        url_for(options)
+      end.delete("\0\r\n")
+    end
+    module_function :_compute_redirect_to_location
+    public :_compute_redirect_to_location
+
+    private
+      def _extract_redirect_to_status(options, response_options)
+        if options.is_a?(Hash) && options.key?(:status)
+          Rack::Utils.status_code(options.delete(:status))
+        elsif response_options.key?(:status)
+          Rack::Utils.status_code(response_options[:status])
+        else
+          302
+        end
+      end
+
+      def _url_host_allowed?(url)
+        URI(url.to_s).host == request.host
+      rescue ArgumentError, URI::Error
+        false
+      end
+  end
+end

data/lib/action_controller/metal/renderers.rb

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+
+require "set"
+
+module ActionController
+  # See <tt>Renderers.add</tt>
+  def self.add_renderer(key, &block)
+    Renderers.add(key, &block)
+  end
+
+  # See <tt>Renderers.remove</tt>
+  def self.remove_renderer(key)
+    Renderers.remove(key)
+  end
+
+  # See <tt>Responder#api_behavior</tt>
+  class MissingRenderer < LoadError
+    def initialize(format)
+      super "No renderer defined for format: #{format}"
+    end
+  end
+
+  module Renderers
+    extend ActiveSupport::Concern
+
+    # A Set containing renderer names that correspond to available renderer procs.
+    # Default values are <tt>:json</tt>, <tt>:js</tt>, <tt>:xml</tt>.
+    RENDERERS = Set.new
+
+    included do
+      class_attribute :_renderers, default: Set.new.freeze
+    end
+
+    # Used in <tt>ActionController::Base</tt>
+    # and <tt>ActionController::API</tt> to include all
+    # renderers by default.
+    module All
+      extend ActiveSupport::Concern
+      include Renderers
+
+      included do
+        self._renderers = RENDERERS
+      end
+    end
+
+    # Adds a new renderer to call within controller actions.
+    # A renderer is invoked by passing its name as an option to
+    # <tt>AbstractController::Rendering#render</tt>. To create a renderer
+    # pass it a name and a block. The block takes two arguments, the first
+    # is the value paired with its key and the second is the remaining
+    # hash of options passed to +render+.
+    #
+    # Create a csv renderer:
+    #
+    #   ActionController::Renderers.add :csv do |obj, options|
+    #     filename = options[:filename] || 'data'
+    #     str = obj.respond_to?(:to_csv) ? obj.to_csv : obj.to_s
+    #     send_data str, type: Mime[:csv],
+    #       disposition: "attachment; filename=#{filename}.csv"
+    #   end
+    #
+    # Note that we used Mime[:csv] for the csv mime type as it comes with Rails.
+    # For a custom renderer, you'll need to register a mime type with
+    # <tt>Mime::Type.register</tt>.
+    #
+    # To use the csv renderer in a controller action:
+    #
+    #   def show
+    #     @csvable = Csvable.find(params[:id])
+    #     respond_to do |format|
+    #       format.html
+    #       format.csv { render csv: @csvable, filename: @csvable.name }
+    #     end
+    #   end
+    def self.add(key, &block)
+      define_method(_render_with_renderer_method_name(key), &block)
+      RENDERERS << key.to_sym
+    end
+
+    # This method is the opposite of add method.
+    #
+    # To remove a csv renderer:
+    #
+    #   ActionController::Renderers.remove(:csv)
+    def self.remove(key)
+      RENDERERS.delete(key.to_sym)
+      method_name = _render_with_renderer_method_name(key)
+      remove_possible_method(method_name)
+    end
+
+    def self._render_with_renderer_method_name(key)
+      "_render_with_renderer_#{key}"
+    end
+
+    module ClassMethods
+      # Adds, by name, a renderer or renderers to the +_renderers+ available
+      # to call within controller actions.
+      #
+      # It is useful when rendering from an <tt>ActionController::Metal</tt> controller or
+      # otherwise to add an available renderer proc to a specific controller.
+      #
+      # Both <tt>ActionController::Base</tt> and <tt>ActionController::API</tt>
+      # include <tt>ActionController::Renderers::All</tt>, making all renderers
+      # available in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
+      #
+      # Since <tt>ActionController::Metal</tt> controllers cannot render, the controller
+      # must include <tt>AbstractController::Rendering</tt>, <tt>ActionController::Rendering</tt>,
+      # and <tt>ActionController::Renderers</tt>, and have at least one renderer.
+      #
+      # Rather than including <tt>ActionController::Renderers::All</tt> and including all renderers,
+      # you may specify which renderers to include by passing the renderer name or names to
+      # +use_renderers+. For example, a controller that includes only the <tt>:json</tt> renderer
+      # (+_render_with_renderer_json+) might look like:
+      #
+      #   class MetalRenderingController < ActionController::Metal
+      #     include AbstractController::Rendering
+      #     include ActionController::Rendering
+      #     include ActionController::Renderers
+      #
+      #     use_renderers :json
+      #
+      #     def show
+      #       render json: record
+      #     end
+      #   end
+      #
+      # You must specify a +use_renderer+, else the +controller.renderer+ and
+      # +controller._renderers+ will be <tt>nil</tt>, and the action will fail.
+      def use_renderers(*args)
+        renderers = _renderers + args
+        self._renderers = renderers.freeze
+      end
+      alias use_renderer use_renderers
+    end
+
+    # Called by +render+ in <tt>AbstractController::Rendering</tt>
+    # which sets the return value as the +response_body+.
+    #
+    # If no renderer is found, +super+ returns control to
+    # <tt>ActionView::Rendering.render_to_body</tt>, if present.
+    def render_to_body(options)
+      _render_to_body_with_renderer(options) || super
+    end
+
+    def _render_to_body_with_renderer(options)
+      _renderers.each do |name|
+        if options.key?(name)
+          _process_options(options)
+          method_name = Renderers._render_with_renderer_method_name(name)
+          return send(method_name, options.delete(name), options)
+        end
+      end
+      nil
+    end
+
+    add :json do |json, options|
+      json = json.to_json(options) unless json.kind_of?(String)
+
+      if options[:callback].present?
+        if media_type.nil? || media_type == Mime[:json]
+          self.content_type = Mime[:js]
+        end
+
+        "/**/#{options[:callback]}(#{json})"
+      else
+        self.content_type = Mime[:json] if media_type.nil?
+        json
+      end
+    end
+
+    add :js do |js, options|
+      self.content_type = Mime[:js] if media_type.nil?
+      js.respond_to?(:to_js) ? js.to_js(options) : js
+    end
+
+    add :xml do |xml, options|
+      self.content_type = Mime[:xml] if media_type.nil?
+      xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
+    end
+  end
+end

data/lib/action_controller/metal/rendering.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+module ActionController
+  module Rendering
+    extend ActiveSupport::Concern
+
+    RENDER_FORMATS_IN_PRIORITY = [:body, :plain, :html]
+
+    module ClassMethods
+      # Documentation at ActionController::Renderer#render
+      delegate :render, to: :renderer
+
+      # Returns a renderer instance (inherited from ActionController::Renderer)
+      # for the controller.
+      attr_reader :renderer
+
+      def setup_renderer! # :nodoc:
+        @renderer = Renderer.for(self)
+      end
+
+      def inherited(klass)
+        klass.setup_renderer!
+        super
+      end
+    end
+
+    # Before processing, set the request formats in current controller formats.
+    def process_action(*) #:nodoc:
+      self.formats = request.formats.map(&:ref).compact
+      super
+    end
+
+    # Check for double render errors and set the content_type after rendering.
+    def render(*args) #:nodoc:
+      raise ::AbstractController::DoubleRenderError if response_body
+      super
+    end
+
+    # Overwrite render_to_string because body can now be set to a Rack body.
+    def render_to_string(*)
+      result = super
+      if result.respond_to?(:each)
+        string = +""
+        result.each { |r| string << r }
+        string
+      else
+        result
+      end
+    end
+
+    def render_to_body(options = {})
+      super || _render_in_priorities(options) || " "
+    end
+
+    private
+
+      def _process_variant(options)
+        if defined?(request) && !request.nil? && request.variant.present?
+          options[:variant] = request.variant
+        end
+      end
+
+      def _render_in_priorities(options)
+        RENDER_FORMATS_IN_PRIORITY.each do |format|
+          return options[format] if options.key?(format)
+        end
+
+        nil
+      end
+
+      def _set_html_content_type
+        self.content_type = Mime[:html].to_s
+      end
+
+      def _set_rendered_content_type(format)
+        if format && !response.media_type
+          self.content_type = format.to_s
+        end
+      end
+
+      # Normalize arguments by catching blocks and setting them on :update.
+      def _normalize_args(action = nil, options = {}, &blk)
+        options = super
+        options[:update] = blk if block_given?
+        options
+      end
+
+      # Normalize both text and status options.
+      def _normalize_options(options)
+        _normalize_text(options)
+
+        if options[:html]
+          options[:html] = ERB::Util.html_escape(options[:html])
+        end
+
+        if options[:status]
+          options[:status] = Rack::Utils.status_code(options[:status])
+        end
+
+        super
+      end
+
+      def _normalize_text(options)
+        RENDER_FORMATS_IN_PRIORITY.each do |format|
+          if options.key?(format) && options[format].respond_to?(:to_text)
+            options[format] = options[format].to_text
+          end
+        end
+      end
+
+      # Process controller specific options, as status, content-type and location.
+      def _process_options(options)
+        status, content_type, location = options.values_at(:status, :content_type, :location)
+
+        self.status = status if status
+        self.content_type = content_type if content_type
+        headers["Location"] = url_for(location) if location
+
+        super
+      end
+  end
+end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -0,0 +1,456 @@
+# frozen_string_literal: true
+
+require "rack/session/abstract/id"
+require "action_controller/metal/exceptions"
+require "active_support/security_utils"
+
+module ActionController #:nodoc:
+  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+  end
+
+  class InvalidCrossOriginRequest < ActionControllerError #:nodoc:
+  end
+
+  # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
+  # by including a token in the rendered HTML for your application. This token is
+  # stored as a random string in the session, to which an attacker does not have
+  # access. When a request reaches your application, \Rails verifies the received
+  # token with the token in the session. All requests are checked except GET requests
+  # as these should be idempotent. Keep in mind that all session-oriented requests
+  # are CSRF protected by default, including JavaScript and HTML requests.
+  #
+  # Since HTML and JavaScript requests are typically made from the browser, we
+  # need to ensure to verify request authenticity for the web browser. We can
+  # use session-oriented authentication for these types of requests, by using
+  # the <tt>protect_from_forgery</tt> method in our controllers.
+  #
+  # GET requests are not protected since they don't have side effects like writing
+  # to the database and don't leak sensitive information. JavaScript requests are
+  # an exception: a third-party site can use a <script> tag to reference a JavaScript
+  # URL on your site. When your JavaScript response loads on their site, it executes.
+  # With carefully crafted JavaScript on their end, sensitive data in your JavaScript
+  # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
+  # Ajax) requests are allowed to make requests for JavaScript responses.
+  #
+  # It's important to remember that XML or JSON requests are also checked by default. If
+  # you're building an API or an SPA you could change forgery protection method in
+  # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
+  #
+  #   class ApplicationController < ActionController::Base
+  #     protect_from_forgery unless: -> { request.format.json? }
+  #   end
+  #
+  # It is generally safe to exclude XHR requests from CSRF protection
+  # (like the code snippet above does), because XHR requests can only be made from
+  # the same origin. Note however that any cross-origin third party domain
+  # allowed via {CORS}[https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]
+  # will also be able to create XHR requests. Be sure to check your
+  # CORS configuration before disabling forgery protection for XHR.
+  #
+  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
+  # By default <tt>protect_from_forgery</tt> protects your session with
+  # <tt>:null_session</tt> method, which provides an empty session
+  # during request.
+  #
+  # We may want to disable CSRF protection for APIs since they are typically
+  # designed to be state-less. That is, the request API client will handle
+  # the session for you instead of Rails.
+  #
+  # The token parameter is named <tt>authenticity_token</tt> by default. The name and
+  # value of this token must be added to every layout that renders forms by including
+  # <tt>csrf_meta_tags</tt> in the HTML +head+.
+  #
+  # Learn more about CSRF attacks and securing your application in the
+  # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
+  module RequestForgeryProtection
+    extend ActiveSupport::Concern
+
+    include AbstractController::Helpers
+    include AbstractController::Callbacks
+
+    included do
+      # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
+      # sets it to <tt>:authenticity_token</tt> by default.
+      config_accessor :request_forgery_protection_token
+      self.request_forgery_protection_token ||= :authenticity_token
+
+      # Holds the class which implements the request forgery protection.
+      config_accessor :forgery_protection_strategy
+      self.forgery_protection_strategy = nil
+
+      # Controls whether request forgery protection is turned on or not. Turned off by default only in test mode.
+      config_accessor :allow_forgery_protection
+      self.allow_forgery_protection = true if allow_forgery_protection.nil?
+
+      # Controls whether a CSRF failure logs a warning. On by default.
+      config_accessor :log_warning_on_csrf_failure
+      self.log_warning_on_csrf_failure = true
+
+      # Controls whether the Origin header is checked in addition to the CSRF token.
+      config_accessor :forgery_protection_origin_check
+      self.forgery_protection_origin_check = false
+
+      # Controls whether form-action/method specific CSRF tokens are used.
+      config_accessor :per_form_csrf_tokens
+      self.per_form_csrf_tokens = false
+
+      # Controls whether forgery protection is enabled by default.
+      config_accessor :default_protect_from_forgery
+      self.default_protect_from_forgery = false
+
+      helper_method :form_authenticity_token
+      helper_method :protect_against_forgery?
+    end
+
+    module ClassMethods
+      # Turn on request forgery protection. Bear in mind that GET and HEAD requests are not checked.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     protect_from_forgery
+      #   end
+      #
+      #   class FooController < ApplicationController
+      #     protect_from_forgery except: :index
+      #   end
+      #
+      # You can disable forgery protection on controller by skipping the verification before_action:
+      #
+      #   skip_before_action :verify_authenticity_token
+      #
+      # Valid Options:
+      #
+      # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
+      # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
+      # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
+      #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
+      #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
+      #
+      #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
+      # * <tt>:with</tt> - Set the method to handle unverified request.
+      #
+      # Valid unverified request handling methods are:
+      # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
+      # * <tt>:reset_session</tt> - Resets the session.
+      # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
+      def protect_from_forgery(options = {})
+        options = options.reverse_merge(prepend: false)
+
+        self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_action :verify_authenticity_token, options
+        append_after_action :verify_same_origin_request
+      end
+
+      # Turn off request forgery protection. This is a wrapper for:
+      #
+      #   skip_before_action :verify_authenticity_token
+      #
+      # See +skip_before_action+ for allowed options.
+      def skip_forgery_protection(options = {})
+        skip_before_action :verify_authenticity_token, options
+      end
+
+      private
+
+        def protection_method_class(name)
+          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
+        rescue NameError
+          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+        end
+    end
+
+    module ProtectionMethods
+      class NullSession
+        def initialize(controller)
+          @controller = controller
+        end
+
+        # This is the method that defines the application behavior when a request is found to be unverified.
+        def handle_unverified_request
+          request = @controller.request
+          request.session = NullSessionHash.new(request)
+          request.flash = nil
+          request.session_options = { skip: true }
+          request.cookie_jar = NullCookieJar.build(request, {})
+        end
+
+        private
+
+          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+            def initialize(req)
+              super(nil, req)
+              @data = {}
+              @loaded = true
+            end
+
+            # no-op
+            def destroy; end
+
+            def exists?
+              true
+            end
+          end
+
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+            def write(*)
+              # nothing
+            end
+          end
+      end
+
+      class ResetSession
+        def initialize(controller)
+          @controller = controller
+        end
+
+        def handle_unverified_request
+          @controller.reset_session
+        end
+      end
+
+      class Exception
+        def initialize(controller)
+          @controller = controller
+        end
+
+        def handle_unverified_request
+          raise ActionController::InvalidAuthenticityToken
+        end
+      end
+    end
+
+    private
+      # The actual before_action that is used to verify the CSRF token.
+      # Don't override this directly. Provide your own forgery protection
+      # strategy instead. If you override, you'll disable same-origin
+      # <tt><script></tt> verification.
+      #
+      # Lean on the protect_from_forgery declaration to mark which actions are
+      # due for same-origin request verification. If protect_from_forgery is
+      # enabled on an action, this before_action flags its after_action to
+      # verify that JavaScript responses are for XHR requests, ensuring they
+      # follow the browser's same-origin policy.
+      def verify_authenticity_token # :doc:
+        mark_for_same_origin_verification!
+
+        if !verified_request?
+          if logger && log_warning_on_csrf_failure
+            if valid_request_origin?
+              logger.warn "Can't verify CSRF token authenticity."
+            else
+              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+            end
+          end
+          handle_unverified_request
+        end
+      end
+
+      def handle_unverified_request # :doc:
+        forgery_protection_strategy.new(self).handle_unverified_request
+      end
+
+      #:nodoc:
+      CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
+        "<script> tag on another site requested protected JavaScript. " \
+        "If you know what you're doing, go ahead and disable forgery " \
+        "protection on this action to permit cross-origin JavaScript embedding."
+      private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
+      # :startdoc:
+
+      # If +verify_authenticity_token+ was run (indicating that we have
+      # forgery protection enabled for this request) then also verify that
+      # we aren't serving an unauthorized cross-origin response.
+      def verify_same_origin_request # :doc:
+        if marked_for_same_origin_verification? && non_xhr_javascript_response?
+          if logger && log_warning_on_csrf_failure
+            logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING
+          end
+          raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
+        end
+      end
+
+      # GET requests are checked for cross-origin JavaScript after rendering.
+      def mark_for_same_origin_verification! # :doc:
+        @marked_for_same_origin_verification = request.get?
+      end
+
+      # If the +verify_authenticity_token+ before_action ran, verify that
+      # JavaScript responses are only served to same-origin GET requests.
+      def marked_for_same_origin_verification? # :doc:
+        @marked_for_same_origin_verification ||= false
+      end
+
+      # Check for cross-origin JavaScript responses.
+      def non_xhr_javascript_response? # :doc:
+        %r(\A(?:text|application)/javascript).match?(media_type) && !request.xhr?
+      end
+
+      AUTHENTICITY_TOKEN_LENGTH = 32
+
+      # Returns true or false if a request is verified. Checks:
+      #
+      # * Is it a GET or HEAD request? GETs should be safe and idempotent
+      # * Does the form_authenticity_token match the given token value from the params?
+      # * Does the X-CSRF-Token header match the form_authenticity_token?
+      def verified_request? # :doc:
+        !protect_against_forgery? || request.get? || request.head? ||
+          (valid_request_origin? && any_authenticity_token_valid?)
+      end
+
+      # Checks if any of the authenticity tokens from the request are valid.
+      def any_authenticity_token_valid? # :doc:
+        request_authenticity_tokens.any? do |token|
+          valid_authenticity_token?(session, token)
+        end
+      end
+
+      # Possible authenticity tokens sent in the request.
+      def request_authenticity_tokens # :doc:
+        [form_authenticity_param, request.x_csrf_token]
+      end
+
+      # Sets the token value for the current session.
+      def form_authenticity_token(form_options: {})
+        masked_authenticity_token(session, form_options: form_options)
+      end
+
+      # Creates a masked version of the authenticity token that varies
+      # on each request. The masking is used to mitigate SSL attacks
+      # like BREACH.
+      def masked_authenticity_token(session, form_options: {}) # :doc:
+        action, method = form_options.values_at(:action, :method)
+
+        raw_token = if per_form_csrf_tokens && action && method
+          action_path = normalize_action_path(action)
+          per_form_csrf_token(session, action_path, method)
+        else
+          real_csrf_token(session)
+        end
+
+        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
+        masked_token = one_time_pad + encrypted_csrf_token
+        Base64.strict_encode64(masked_token)
+      end
+
+      # Checks the client's masked token to see if it matches the
+      # session token. Essentially the inverse of
+      # +masked_authenticity_token+.
+      def valid_authenticity_token?(session, encoded_masked_token) # :doc:
+        if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
+          return false
+        end
+
+        begin
+          masked_token = Base64.strict_decode64(encoded_masked_token)
+        rescue ArgumentError # encoded_masked_token is invalid Base64
+          return false
+        end
+
+        # See if it's actually a masked token or not. In order to
+        # deploy this code, we should be able to handle any unmasked
+        # tokens that we've issued without error.
+
+        if masked_token.length == AUTHENTICITY_TOKEN_LENGTH
+          # This is actually an unmasked token. This is expected if
+          # you have just upgraded to masked tokens, but should stop
+          # happening shortly after installing this gem.
+          compare_with_real_token masked_token, session
+
+        elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
+          csrf_token = unmask_token(masked_token)
+
+          compare_with_real_token(csrf_token, session) ||
+            valid_per_form_csrf_token?(csrf_token, session)
+        else
+          false # Token is malformed.
+        end
+      end
+
+      def unmask_token(masked_token) # :doc:
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it.
+        one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
+        encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
+        xor_byte_strings(one_time_pad, encrypted_csrf_token)
+      end
+
+      def compare_with_real_token(token, session) # :doc:
+        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
+      end
+
+      def valid_per_form_csrf_token?(token, session) # :doc:
+        if per_form_csrf_tokens
+          correct_token = per_form_csrf_token(
+            session,
+            normalize_action_path(request.fullpath),
+            request.request_method
+          )
+
+          ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, correct_token)
+        else
+          false
+        end
+      end
+
+      def real_csrf_token(session) # :doc:
+        session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+        Base64.strict_decode64(session[:_csrf_token])
+      end
+
+      def per_form_csrf_token(session, action_path, method) # :doc:
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest::SHA256.new,
+          real_csrf_token(session),
+          [action_path, method.downcase].join("#")
+        )
+      end
+
+      def xor_byte_strings(s1, s2) # :doc:
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
+      end
+
+      # The form's authenticity parameter. Override to provide your own.
+      def form_authenticity_param # :doc:
+        params[request_forgery_protection_token]
+      end
+
+      # Checks if the controller allows forgery protection.
+      def protect_against_forgery? # :doc:
+        allow_forgery_protection
+      end
+
+      NULL_ORIGIN_MESSAGE = <<~MSG
+        The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
+        means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
+        refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
+        best solution is to change your referrer policy to something less strict like same-origin or strict-origin.
+        If you cannot change the referrer policy, you can disable origin checking with the
+        Rails.application.config.action_controller.forgery_protection_origin_check setting.
+      MSG
+
+      # Checks if the request originated from the same origin by looking at the
+      # Origin header.
+      def valid_request_origin? # :doc:
+        if forgery_protection_origin_check
+          # We accept blank origin headers because some user agents don't send it.
+          raise InvalidAuthenticityToken, NULL_ORIGIN_MESSAGE if request.origin == "null"
+          request.origin.nil? || request.origin == request.base_url
+        else
+          true
+        end
+      end
+
+      def normalize_action_path(action_path) # :doc:
+        uri = URI.parse(action_path)
+        uri.path.chomp("/")
+      end
+  end
+end