csrf_token_caching 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,17 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ .yardoc
6
+ Gemfile.lock
7
+ InstalledFiles
8
+ _yardoc
9
+ coverage
10
+ doc/
11
+ lib/bundler/man
12
+ pkg
13
+ rdoc
14
+ spec/reports
15
+ test/tmp
16
+ test/version_tmp
17
+ tmp
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in csrf_token_caching.gemspec
4
+ gemspec
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2013 Manu S Ajith <neo@codingarena.in>
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@@ -0,0 +1,37 @@
1
+ # CsrfTokenCaching
2
+
3
+ One of the notable features of Rails is the use of CSRF (Cross Site Request Forgery). The CSRF token is implemented by embedding a server side generated token to all the pages that is generated. When rails render a new page, it will generate an authenticity token and will embed the same into a hidden field and will be stored in the session object. Whenever a request to Edit or Update an object is received rails will check the authenticity of the token and will reject it if it isnt valid.
4
+
5
+ ###CSRF token with Action Caching ###
6
+
7
+ Consider an example where a user named "User1" comes to the application. For this user the CSRF token will be newly generated, also note that a cached copy of the file will be stored on the server. If another user "User2" visits the same page, then he/she will be getting the cached copy of the file with the CSRF token for the first user. Now if the second user tries to edit/update an object, then there will be mismatches in the CSRF token and he/she will get an error.
8
+
9
+ ###Solution ###
10
+
11
+ In some cases disabling the CSRF token can solve the above problem, but it is not advisable to have CSRF disabled in your application. The workaround is to modify the module which is responsible for generating the authenticity token in such a way that we are able to split the token later and can match that against the requests.
12
+
13
+ ## Installation
14
+
15
+ Add this line to your application's Gemfile:
16
+
17
+ gem 'csrf_token_caching'
18
+
19
+ And then execute:
20
+
21
+ $ bundle
22
+
23
+ Or install it yourself as:
24
+
25
+ $ gem install csrf_token_caching
26
+
27
+ ## Usage
28
+
29
+ TODO: Write usage instructions here
30
+
31
+ ## Contributing
32
+
33
+ 1. Fork it
34
+ 2. Create your feature branch (`git checkout -b my-new-feature`)
35
+ 3. Commit your changes (`git commit -am 'Add some feature'`)
36
+ 4. Push to the branch (`git push origin my-new-feature`)
37
+ 5. Create new Pull Request
@@ -0,0 +1 @@
1
+ require "bundler/gem_tasks"
@@ -0,0 +1,23 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'csrf_token_caching/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "csrf_token_caching"
8
+ spec.version = CsrfTokenCaching::VERSION
9
+ spec.authors = ["Manu S Ajith"]
10
+ spec.email = ["neo@codingarena.in"]
11
+ spec.description = %q{Gem to handle CSRF protection token while using caching}
12
+ spec.summary = %q{This gem will easily allow the users to use caching with CSRF tokens, it will insert a user specific token in the HTML pages for each response that is sent.}
13
+ spec.homepage = "https://github.com/manusajith/csrf_token_caching"
14
+ spec.license = "MIT"
15
+
16
+ spec.files = `git ls-files`.split($/)
17
+ spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
18
+ spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
19
+ spec.require_paths = ["lib"]
20
+
21
+ spec.add_development_dependency "bundler", "~> 1.3"
22
+ spec.add_development_dependency "rake"
23
+ end
@@ -0,0 +1,44 @@
1
+ require "csrf_token_caching/version"
2
+
3
+ module CsrfTokenCaching
4
+ def self.included(base)
5
+
6
+ ApplicationController.const_set "TOKEN_PLACEHOLDER", "__CROSS_SITE_REQUEST_FORGERY_PROTECTION_TOKEN__"
7
+ base.class_eval do
8
+ after_filter :inject_csrf_token
9
+
10
+ private
11
+ def inject_csrf_token
12
+ if protect_against_forgery? && token = form_authenticity_token
13
+ if body_with_token = response.body.gsub!(ApplicationController::TOKEN_PLACEHOLDER, token)
14
+ response.body = body_with_token
15
+ end
16
+ end
17
+ end
18
+ end
19
+
20
+ ActionView::Helpers::FormTagHelper.class_eval do
21
+ alias_method :token_tag_rails, :token_tag
22
+
23
+ def token_tag(token=nil)
24
+ if token != false && protect_against_forgery?
25
+ tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => ApplicationController::TOKEN_PLACEHOLDER)
26
+ else
27
+ ''
28
+ end
29
+ end
30
+ end
31
+
32
+ ActionView::Helpers::CsrfHelper.class_eval do
33
+ def csrf_meta_tags
34
+ if protect_against_forgery?
35
+ [
36
+ tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
37
+ tag('meta', :name => 'csrf-token', :content => ApplicationController::TOKEN_PLACEHOLDER)
38
+ ].join("\n").html_safe
39
+ end
40
+ end
41
+ end
42
+
43
+ end # included
44
+ end
@@ -0,0 +1,3 @@
1
+ module CsrfTokenCaching
2
+ VERSION = "0.0.1"
3
+ end
metadata ADDED
@@ -0,0 +1,88 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: csrf_token_caching
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Manu S Ajith
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2013-05-22 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: bundler
16
+ requirement: !ruby/object:Gem::Requirement
17
+ none: false
18
+ requirements:
19
+ - - ~>
20
+ - !ruby/object:Gem::Version
21
+ version: '1.3'
22
+ type: :development
23
+ prerelease: false
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ~>
28
+ - !ruby/object:Gem::Version
29
+ version: '1.3'
30
+ - !ruby/object:Gem::Dependency
31
+ name: rake
32
+ requirement: !ruby/object:Gem::Requirement
33
+ none: false
34
+ requirements:
35
+ - - ! '>='
36
+ - !ruby/object:Gem::Version
37
+ version: '0'
38
+ type: :development
39
+ prerelease: false
40
+ version_requirements: !ruby/object:Gem::Requirement
41
+ none: false
42
+ requirements:
43
+ - - ! '>='
44
+ - !ruby/object:Gem::Version
45
+ version: '0'
46
+ description: Gem to handle CSRF protection token while using caching
47
+ email:
48
+ - neo@codingarena.in
49
+ executables: []
50
+ extensions: []
51
+ extra_rdoc_files: []
52
+ files:
53
+ - .gitignore
54
+ - Gemfile
55
+ - LICENSE.txt
56
+ - README.md
57
+ - Rakefile
58
+ - csrf_token_caching.gemspec
59
+ - lib/csrf_token_caching.rb
60
+ - lib/csrf_token_caching/version.rb
61
+ homepage: https://github.com/manusajith/csrf_token_caching
62
+ licenses:
63
+ - MIT
64
+ post_install_message:
65
+ rdoc_options: []
66
+ require_paths:
67
+ - lib
68
+ required_ruby_version: !ruby/object:Gem::Requirement
69
+ none: false
70
+ requirements:
71
+ - - ! '>='
72
+ - !ruby/object:Gem::Version
73
+ version: '0'
74
+ required_rubygems_version: !ruby/object:Gem::Requirement
75
+ none: false
76
+ requirements:
77
+ - - ! '>='
78
+ - !ruby/object:Gem::Version
79
+ version: '0'
80
+ requirements: []
81
+ rubyforge_project:
82
+ rubygems_version: 1.8.24
83
+ signing_key:
84
+ specification_version: 3
85
+ summary: This gem will easily allow the users to use caching with CSRF tokens, it
86
+ will insert a user specific token in the HTML pages for each response that is sent.
87
+ test_files: []
88
+ has_rdoc: