actionpack 7.0.8.1 → 7.1.0.beta1

data/lib/action_controller/metal/head.rb

@@ -18,18 +18,20 @@ module ActionController
     #   render
     #
     # See +Rack::Utils::SYMBOL_TO_STATUS_CODE+ for a full list of valid +status+ symbols.
-    def head(status, options = {})
+    def head(status, options = nil)
       if status.is_a?(Hash)
         raise ArgumentError, "#{status.inspect} is not a valid value for `status`."
       end
 
       status ||= :ok
 
-      location = options.delete(:location)
-      content_type = options.delete(:content_type)
+      if options
+        location = options.delete(:location)
+        content_type = options.delete(:content_type)
 
-      options.each do |key, value|
-        headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
+        options.each do |key, value|
+          headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
+        end
       end
 
       self.status = status
@@ -37,7 +39,7 @@ module ActionController
 
       if include_content?(response_code)
         unless self.media_type
-          self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
+          self.content_type = content_type || ((f = formats) && Mime[f.first]) || Mime[:html]
         end
 
         response.charset = false

data/lib/action_controller/metal/helpers.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller \Helpers
+  #
   # The \Rails framework provides a large number of helpers for working with assets, dates, forms,
   # numbers and model objects, to name a few. These helpers are available to all templates
   # by default.
@@ -80,7 +82,7 @@ module ActionController
       # Provides a proxy to access helper methods from outside the view.
       #
       # Note that the proxy is rendered under a different view context.
-      # This may cause incorrect behaviour with capture methods. Consider
+      # This may cause incorrect behavior with capture methods. Consider
       # using {helper}[rdoc-ref:AbstractController::Helpers::ClassMethods#helper]
       # instead when using +capture+.
       def helpers
@@ -104,19 +106,6 @@ module ActionController
         super(args)
       end
 
-      # Returns a list of helper names in a given path.
-      #
-      #   ActionController::Base.all_helpers_from_path 'app/helpers'
-      #   # => ["application", "chart", "rubygems"]
-      def all_helpers_from_path(path)
-        helpers = Array(path).flat_map do |_path|
-          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file[_path.to_s.size + 1..-"_helper.rb".size - 1] }
-          names.sort!
-        end
-        helpers.uniq!
-        helpers
-      end
-
       private
         # Extract helper names from files in <tt>app/helpers/**/*_helper.rb</tt>
         def all_application_helpers

data/lib/action_controller/metal/http_authentication.rb

@@ -316,7 +316,7 @@ module ActionController
       # of this document.
       #
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
-      # key from the Rails session secret generated upon creation of project. Ensures
+      # key from the \Rails session secret generated upon creation of project. Ensures
       # the time cannot be modified by client.
       def nonce(secret_key, time = Time.now)
         t = time.to_i
@@ -431,8 +431,11 @@ module ActionController
           authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm, message)
         end
 
-        # Authenticate using an HTTP Bearer token. Returns true if
-        # authentication is successful, false otherwise.
+        # Authenticate using an HTTP Bearer token.
+        # Returns the return value of <tt>login_procedure</tt> if a
+        # token is found. Returns <tt>nil</tt> if no token is found.
+        #
+        # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_with_http_token(&login_procedure)
           Token.authenticate(self, &login_procedure)
         end
@@ -502,11 +505,15 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
+      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
+      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
+
       # This method takes an authorization body and splits up the key-value
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

data/lib/action_controller/metal/implicit_render.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller Implicit Render
+  #
   # Handles implicit rendering for a controller action that does not
   # explicitly respond with +render+, +respond_to+, +redirect+, or +head+.
   #
@@ -17,12 +19,12 @@ module ActionController
   # Second, if we DON'T find a template but the controller action does have
   # templates for other formats, variants, etc., then we trust that you meant
   # to provide a template for this response, too, and we raise
-  # <tt>ActionController::UnknownFormat</tt> with an explanation.
+  # ActionController::UnknownFormat with an explanation.
   #
   # Third, if we DON'T find a template AND the request is a page load in a web
   # browser (technically, a non-XHR GET request for an HTML response) where
   # you reasonably expect to have rendered a template, then we raise
-  # <tt>ActionController::MissingExactTemplate</tt> with an explanation.
+  # ActionController::MissingExactTemplate with an explanation.
   #
   # Finally, if we DON'T find a template AND the request isn't a browser page
   # load, then we implicitly respond with <tt>204 No Content</tt>.
@@ -42,7 +44,7 @@ module ActionController
         raise ActionController::UnknownFormat, message
       elsif interactive_browser_request?
         message = "#{self.class.name}\##{action_name} is missing a template for request formats: #{request.formats.map(&:to_s).join(',')}"
-        raise ActionController::MissingExactTemplate, message
+        raise ActionController::MissingExactTemplate.new(message, self.class, action_name)
       else
         logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
         super

data/lib/action_controller/metal/instrumentation.rb

@@ -4,6 +4,8 @@ require "benchmark"
 require "abstract_controller/logger"
 
 module ActionController
+  # = Action Controller \Instrumentation
+  #
   # Adds instrumentation to several ends in ActionController::Base. It also provides
   # some hooks related with process_action. This allows an ORM like Active Record
   # and/or DataMapper to plug in ActionController and show related information.
@@ -16,6 +18,11 @@ module ActionController
 
     attr_internal :view_runtime
 
+    def initialize(...) # :nodoc:
+      super
+      self.view_runtime = nil
+    end
+
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
@@ -58,7 +65,7 @@ module ActionController
           headers: request.headers,
           format: request.format.ref,
           method: request.request_method,
-          path: request.fullpath
+          path: request.filtered_path
         }
 
         ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)

data/lib/action_controller/metal/live.rb

@@ -5,6 +5,8 @@ require "delegate"
 require "active_support/json"
 
 module ActionController
+  # = Action Controller \Live
+  #
   # Mix this module into your controller, and all actions in that controller
   # will be able to stream data to the client as it's written.
   #
@@ -34,6 +36,21 @@ module ActionController
   # The final caveat is that your actions are executed in a separate thread than
   # the main thread. Make sure your actions are thread safe, and this shouldn't
   # be a problem (don't share state across threads, etc).
+  #
+  # Note that \Rails includes +Rack::ETag+ by default, which will buffer your
+  # response. As a result, streaming responses may not work properly with Rack
+  # 2.2.x, and you may need to implement workarounds in your application.
+  # You can either set the +ETag+ or +Last-Modified+ response headers or remove
+  # +Rack::ETag+ from the middleware stack to address this issue.
+  #
+  # Here's an example of how you can set the +Last-Modified+ header if your Rack
+  # version is 2.2.x:
+  #
+  #   def stream
+  #     response.headers["Content-Type"] = "text/event-stream"
+  #     response.headers["Last-Modified"] = Time.now.httpdate # Add this line if your Rack version is 2.2.x
+  #     ...
+  #   end
   module Live
     extend ActiveSupport::Concern
 
@@ -49,6 +66,8 @@ module ActionController
       end
     end
 
+    # = Action Controller \Live Server Sent Events
+    #
     # This class provides the ability to write an SSE (Server Sent Event)
     # to an IO stream. The class is initialized with a stream and can be used
     # to either write a JSON string or an object which can be converted to JSON.
@@ -148,6 +167,11 @@ module ActionController
         @ignore_disconnect = false
       end
 
+      # ActionDispatch::Response delegates #to_ary to the internal ActionDispatch::Response::Buffer,
+      # defining #to_ary is an indicator that the response body can be buffered and/or cached by
+      # Rack middlewares, this is not the case for Live responses so we undefine it for this Buffer subclass.
+      undef_method :to_ary
+
       def write(string)
         unless @response.committed?
           @response.headers["Cache-Control"] ||= "no-cache"

data/lib/action_controller/metal/mime_responds.rb

@@ -32,7 +32,7 @@ module ActionController # :nodoc:
     #
     # What that says is, "if the client wants HTML or JS in response to this action, just respond as we
     # would have before, but if the client wants XML, return them the list of people in XML format."
-    # (Rails determines the desired response format from the HTTP Accept header submitted by the client.)
+    # (\Rails determines the desired response format from the HTTP Accept header submitted by the client.)
     #
     # Supposing you have an action that adds a new person, optionally creating their company
     # (by name) if it does not already exist, without web-services, it might look like this:
@@ -98,7 +98,7 @@ module ActionController # :nodoc:
     #
     # Note that you can define your own XML parameter parser which would allow you to describe multiple entities
     # in a single request (i.e., by wrapping them all in a single root node), but if you just go with the flow
-    # and accept Rails' defaults, life will be much easier.
+    # and accept \Rails' defaults, life will be much easier.
     #
     # If you need to use a MIME type which isn't supported by default, you can register your own handlers in
     # +config/initializers/mime_types.rb+ as follows.

data/lib/action_controller/metal/params_wrapper.rb

@@ -6,6 +6,8 @@ require "active_support/core_ext/module/anonymous"
 require "action_dispatch/http/mime_type"
 
 module ActionController
+  # = Action Controller Params Wrapper
+  #
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
   #
@@ -68,7 +70,7 @@ module ActionController
   #     class Admin::UsersController < ApplicationController
   #     end
   #
-  # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
+  # will try to check if +Admin::User+ or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
   # it will then fallback to use +user+ as the key.
   #

data/lib/action_controller/metal/permissions_policy.rb

@@ -27,7 +27,7 @@ module ActionController # :nodoc:
         before_action(options) do
           if block_given?
             policy = request.permissions_policy.clone
-            yield policy
+            instance_exec(policy, &block)
             request.permissions_policy = policy
           end
         end

data/lib/action_controller/metal/redirecting.rb

@@ -4,13 +4,13 @@ module ActionController
   module Redirecting
     extend ActiveSupport::Concern
 
-    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
-
     include AbstractController::Logger
     include ActionController::UrlFor
 
     class UnsafeRedirectError < StandardError; end
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
     included do
       mattr_accessor :raise_on_open_redirects, default: false
     end
@@ -23,7 +23,7 @@ module ActionController
     # * <tt>String</tt> not containing a protocol - The current protocol and host is prepended to the string.
     # * <tt>Proc</tt> - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+.
     #
-    # === Examples:
+    # === Examples
     #
     #   redirect_to action: "show", id: 5
     #   redirect_to @post
@@ -67,8 +67,8 @@ module ActionController
     #
     # === Open Redirect protection
     #
-    # By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
-    # Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
+    # By default, \Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
+    # Note: this was a new default in \Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
     #
     # Here #redirect_to automatically validates the potentially-unsafe URL:
     #
@@ -93,7 +93,7 @@ module ActionController
       _ensure_url_is_http_header_safe(redirect_to_location)
 
       self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
-      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+      self.response_body = ""
     end
 
     # Soft deprecated alias for #redirect_back_or_to where the +fallback_location+ location is supplied as a keyword argument instead

data/lib/action_controller/metal/renderers.rb

@@ -58,7 +58,7 @@ module ActionController
     #       disposition: "attachment; filename=#{filename}.csv"
     #   end
     #
-    # Note that we used Mime[:csv] for the csv mime type as it comes with Rails.
+    # Note that we used Mime[:csv] for the csv mime type as it comes with \Rails.
     # For a custom renderer, you'll need to register a mime type with
     # <tt>Mime::Type.register</tt>.
     #
@@ -100,7 +100,7 @@ module ActionController
       #
       # Both ActionController::Base and ActionController::API
       # include ActionController::Renderers::All, making all renderers
-      # available in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
+      # available in the controller. See Renderers::RENDERERS and Renderers.add.
       #
       # Since ActionController::Metal controllers cannot render, the controller
       # must include AbstractController::Rendering, ActionController::Rendering,

data/lib/action_controller/metal/rendering.rb

@@ -195,13 +195,6 @@ module ActionController
         end
       end
 
-      # Normalize arguments by catching blocks and setting them on :update.
-      def _normalize_args(action = nil, options = {}, &blk)
-        options = super
-        options[:update] = blk if block_given?
-        options
-      end
-
       # Normalize both text and status options.
       def _normalize_options(options)
         _normalize_text(options)

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -11,6 +11,8 @@ module ActionController # :nodoc:
   class InvalidCrossOriginRequest < ActionControllerError # :nodoc:
   end
 
+  # = Action Controller Request Forgery Protection
+  #
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
   # by including a token in the rendered HTML for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
@@ -34,10 +36,10 @@ module ActionController # :nodoc:
   #
   # Subclasses of ActionController::Base are protected by default with the
   # <tt>:exception</tt> strategy, which raises an
-  # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
+  # ActionController::InvalidAuthenticityToken error on unverified requests.
   #
   # APIs may want to disable this behavior since they are typically designed to be
-  # state-less: that is, the request API client handles the session instead of Rails.
+  # state-less: that is, the request API client handles the session instead of \Rails.
   # One way to achieve this is to use the <tt>:null_session</tt> strategy instead,
   # which allows unverified requests to be handled, but with an empty session:
   #
@@ -55,6 +57,8 @@ module ActionController # :nodoc:
   # Learn more about CSRF attacks and securing your application in the
   # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
   module RequestForgeryProtection
+    CSRF_TOKEN = "action_controller.csrf_token"
+
     extend ActiveSupport::Concern
 
     include AbstractController::Helpers
@@ -90,18 +94,9 @@ module ActionController # :nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
-      # Controls whether URL-safe CSRF tokens are generated.
-      config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = true
-
-      singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
-        if urlsafe_csrf_tokens
-          ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
-        else
-          ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
-        end
-        config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
-      end
+      # The strategy to use for storing and retrieving CSRF tokens.
+      config_accessor :csrf_token_storage_strategy
+      self.csrf_token_storage_strategy = SessionStore.new
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
@@ -148,18 +143,46 @@ module ActionController # :nodoc:
       #      end
       #
       #      def handle_unverified_request
-      #        # Custom behaviour for unverfied request
+      #        # Custom behavior for unverfied request
       #      end
       #    end
       #
-      #    class ApplicationController < ActionController:x:Base
+      #    class ApplicationController < ActionController::Base
       #      protect_from_forgery with: CustomStrategy
       #    end
+      # * <tt>:store</tt> - Set the strategy to store and retrieve CSRF tokens.
+      #
+      # Built-in session token strategies are:
+      # * <tt>:session</tt> - Store the CSRF token in the session.  Used as default if <tt>:store</tt> option is not specified.
+      # * <tt>:cookie</tt> - Store the CSRF token in an encrypted cookie.
+      #
+      # You can also implement custom strategy classes for CSRF token storage:
+      #
+      #   class CustomStore
+      #     def fetch(request)
+      #       # Return the token from a custom location
+      #     end
+      #
+      #     def store(request, csrf_token)
+      #       # Store the token in a custom location
+      #     end
+      #
+      #     def reset(request)
+      #       # Delete the stored session token
+      #     end
+      #   end
+      #
+      #   class ApplicationController < ActionController::Base
+      #     protect_from_forgery store: CustomStore.new
+      #   end
       def protect_from_forgery(options = {})
         options = options.reverse_merge(prepend: false)
 
         self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
         self.request_forgery_protection_token ||= :authenticity_token
+
+        self.csrf_token_storage_strategy = storage_strategy(options[:store] || SessionStore.new)
+
         before_action :verify_authenticity_token, options
         append_after_action :verify_same_origin_request
       end
@@ -188,6 +211,22 @@ module ActionController # :nodoc:
             raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
           end
         end
+
+        def storage_strategy(name)
+          case name
+          when :session
+            SessionStore.new
+          when :cookie
+            CookieStore.new(:csrf_token)
+          else
+            return name if is_storage_strategy?(name)
+            raise ArgumentError, "Invalid CSRF token storage strategy, use :session, :cookie, or a custom CSRF token storage class."
+          end
+        end
+
+        def is_storage_strategy?(object)
+          object.respond_to?(:fetch) && object.respond_to?(:store) && object.respond_to?(:reset)
+        end
     end
 
     module ProtectionMethods
@@ -255,6 +294,68 @@ module ActionController # :nodoc:
       end
     end
 
+    class SessionStore
+      def fetch(request)
+        request.session[:_csrf_token]
+      end
+
+      def store(request, csrf_token)
+        request.session[:_csrf_token] = csrf_token
+      end
+
+      def reset(request)
+        request.session.delete(:_csrf_token)
+      end
+    end
+
+    class CookieStore
+      def initialize(cookie = :csrf_token)
+        @cookie_name = cookie
+      end
+
+      def fetch(request)
+        contents = request.cookie_jar.encrypted[@cookie_name]
+        return nil if contents.nil?
+
+        value = JSON.parse(contents)
+        return nil unless value.dig("session_id", "public_id") == request.session.id_was&.public_id
+
+        value["token"]
+      rescue JSON::ParserError
+        nil
+      end
+
+      def store(request, csrf_token)
+        request.cookie_jar.encrypted.permanent[@cookie_name] = {
+          value: {
+            token: csrf_token,
+            session_id: request.session.id,
+          }.to_json,
+          httponly: true,
+          same_site: :lax,
+        }
+      end
+
+      def reset(request)
+        request.cookie_jar.delete(@cookie_name)
+      end
+    end
+
+    def initialize(...)
+      super
+      @marked_for_same_origin_verification = nil
+    end
+
+    def reset_csrf_token(request) # :doc:
+      request.env.delete(CSRF_TOKEN)
+      csrf_token_storage_strategy.reset(request)
+    end
+
+    def commit_csrf_token(request) # :doc:
+      csrf_token = request.env[CSRF_TOKEN]
+      csrf_token_storage_strategy.store(request, csrf_token) unless csrf_token.nil?
+    end
+
     private
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
@@ -356,20 +457,20 @@ module ActionController # :nodoc:
 
       # Creates the authenticity token for the current request.
       def form_authenticity_token(form_options: {}) # :doc:
-        masked_authenticity_token(session, form_options: form_options)
+        masked_authenticity_token(form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {})
+      def masked_authenticity_token(form_options: {})
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
           action_path = normalize_action_path(action)
-          per_form_csrf_token(session, action_path, method)
+          per_form_csrf_token(nil, action_path, method)
         else
-          global_csrf_token(session)
+          global_csrf_token
         end
 
         mask_token(raw_token)
@@ -397,14 +498,14 @@ module ActionController # :nodoc:
           # This is actually an unmasked token. This is expected if
           # you have just upgraded to masked tokens, but should stop
           # happening shortly after installing this gem.
-          compare_with_real_token masked_token, session
+          compare_with_real_token masked_token
 
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
           csrf_token = unmask_token(masked_token)
 
-          compare_with_global_token(csrf_token, session) ||
-            compare_with_real_token(csrf_token, session) ||
-            valid_per_form_csrf_token?(csrf_token, session)
+          compare_with_global_token(csrf_token) ||
+            compare_with_real_token(csrf_token) ||
+            valid_per_form_csrf_token?(csrf_token)
         else
           false # Token is malformed.
         end
@@ -425,15 +526,15 @@ module ActionController # :nodoc:
         encode_csrf_token(masked_token)
       end
 
-      def compare_with_real_token(token, session) # :doc:
+      def compare_with_real_token(token, session = nil) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
-      def compare_with_global_token(token, session) # :doc:
+      def compare_with_global_token(token, session = nil) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
       end
 
-      def valid_per_form_csrf_token?(token, session) # :doc:
+      def valid_per_form_csrf_token?(token, session = nil) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
@@ -447,9 +548,12 @@ module ActionController # :nodoc:
         end
       end
 
-      def real_csrf_token(session) # :doc:
-        session[:_csrf_token] ||= generate_csrf_token
-        decode_csrf_token(session[:_csrf_token])
+      def real_csrf_token(_session = nil) # :doc:
+        csrf_token = request.env.fetch(CSRF_TOKEN) do
+          request.env[CSRF_TOKEN] = csrf_token_storage_strategy.fetch(request) || generate_csrf_token
+        end
+
+        decode_csrf_token(csrf_token)
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
@@ -459,7 +563,7 @@ module ActionController # :nodoc:
       GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
       private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
 
-      def global_csrf_token(session) # :doc:
+      def global_csrf_token(session = nil) # :doc:
         csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
       end
 
@@ -519,31 +623,15 @@ module ActionController # :nodoc:
       end
 
       def generate_csrf_token # :nodoc:
-        if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
-        else
-          SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
-        end
+        SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
       end
 
       def encode_csrf_token(csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_encode64(csrf_token, padding: false)
-        else
-          Base64.strict_encode64(csrf_token)
-        end
+        Base64.urlsafe_encode64(csrf_token, padding: false)
       end
 
       def decode_csrf_token(encoded_csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_decode64(encoded_csrf_token)
-        else
-          begin
-            Base64.strict_decode64(encoded_csrf_token)
-          rescue ArgumentError
-            Base64.urlsafe_decode64(encoded_csrf_token)
-          end
-        end
+        Base64.urlsafe_decode64(encoded_csrf_token)
       end
   end
 end