first commit

cmer · cmer · commit 246438061614 · 2012-09-13T16:10:16.000-04:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+*.gem
diff --git a/README.md b/README.md
@@ -0,0 +1,11 @@
+# Cacheable CSRF Token for Rails
+
+### Cache HTML containing CSRF protection tokens without worrying
+
+CacheableCSRFToken allows you to easily cache Ruby on Rails pages or partials containing a CSRF protection token. The user-specific token will inserted in the HTML before the response is sent to the user.
+
+#### Usage
+
+1. Add `cacheable-csrf-rails` to your Gemfile
+2. Add this line in ApplicationController:
+    `include CacheableCSRFTokenRails`
diff --git a/cacheable-csrf-token-rails.gemspec b/cacheable-csrf-token-rails.gemspec
@@ -0,0 +1,13 @@
+Gem::Specification.new do |s|
+  s.name        = %q{cacheable-csrf-token-rails}
+  s.version     = "0.1.0"
+  s.date        = %q{2012-09-13}
+  s.summary     = %q{Cache HTML containing CSRF protection tokens without worrying}
+  s.description = %q{CacheableCSRFToken allows you to easily cache Ruby on Rails pages or partials containing a CSRF protection token. The user-specific token will inserted in the HTML before the response is sent to the user.}
+  s.authors     = ["Carl Mercier"]
+  s.email       = ["carl@carlmercier.com"]
+  s.homepage    = "http://github.com/cmer/cacheable-csrf-token-rails"
+  s.files       = ["README.md", "lib/cacheable-csrf-token-rails.rb"]
+
+  s.add_dependency('rails', '>= 3.2.5')
+end
diff --git a/lib/cacheable-csrf-token-rails.rb b/lib/cacheable-csrf-token-rails.rb
@@ -0,0 +1,45 @@
+# Inspired from http://www.jarrodspillers.com/2010/02/06/trying-to-use-rails-csrf-protection-on-cached-actions-rack-middleware-to-the-rescue/ and https://gist.github.com/1124982/632f1fcbe0981424128b3088ddb27a322c369cc1
+
+module CacheableCSRFTokenRails
+  def self.included(base)
+
+    ApplicationController.const_set "TOKEN_PLACEHOLDER", "__CROSS_SITE_REQUEST_FORGERY_PROTECTION_TOKEN__"
+    base.class_eval do
+      after_filter  :inject_csrf_token
+
+      private
+      def inject_csrf_token
+        if protect_against_forgery? && token = session['_csrf_token']
+          if body_with_token = response.body.gsub!(ApplicationController::TOKEN_PLACEHOLDER, token)
+            response.body = body_with_token
+          end
+        end
+      end
+    end
+
+    ActionView::Helpers::FormTagHelper.class_eval do
+      alias_method :token_tag_rails, :token_tag
+
+      def token_tag(token=nil)
+        if token != false && protect_against_forgery?
+          token ||= form_authenticity_token
+          tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => ApplicationController::TOKEN_PLACEHOLDER)
+        else
+          ''
+        end
+      end
+    end
+
+    ActionView::Helpers::CsrfHelper.class_eval do
+      def csrf_meta_tags
+        if protect_against_forgery?
+          [
+            tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
+            tag('meta', :name => 'csrf-token', :content => ApplicationController::TOKEN_PLACEHOLDER)
+          ].join("\n").html_safe
+        end
+      end
+    end
+
+  end # included
+end
