Manual implementation of Csrf Protection?

I am implementing the code in this faye pub/sub
tutorial(http://faye.jcoglan.com/security/csrf.html) – go to the
example
rails section to see the code I am talking about.

What it does is when a message is to be published, it goes through the
CsrfProtection class. Session_token comes from the csrf_token rails
stores
in a session, and the message_token comes from the tag
authenticity
token in the html code that is extracted by javascript and passed to the
CsrfProtection class as a message_token.

This code always seems to produce an error because the authenticity
token
in the html of the site, is different from the stored csrf_token in
rails.

After inspecting this, I realized that the rails actually encrypts and
decrypts tokens, and so to properly compare the authenticity token with
the
csrf_token in session, one has to first decrypt it.
There should be a rails method that allows you to manually compare the
csrf_token with the authenticity token so one can secure pub/sub
channels
(and to my knowledge, publishing to a pub/sub channel doesn’t go through
a
rails action, and so one can’t use the protect_from_forgery thing).

Thoughts on this? What is the way to protect the pub/sub channel from
csrf
protection?

https://github.com/rails/rails/blob/e7feaff70f13b56a0507e9f4dfaf3ebc361cb8e6/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L197

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs