Use verify_authenticity_token directly

By adding a logger and setting the protection_strategy to raise an exception, we can use verify_authenticity_token directly. The main benefit of this is that we will get a more helpful error message attached to the exception.
cookpad · Sep 24, 2024 · 238f4f0 · 238f4f0
1 parent ca0b33e
commit 238f4f0
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/lib/omniauth/rails_csrf_protection/token_verifier.rb b/lib/omniauth/rails_csrf_protection/token_verifier.rb
@@ -28,22 +28,29 @@ def self.config
       # our configuration delegate to `ActionController::Base`.
       config.each_key do |key| config.delete(key) end
 
+      # OmniAuth expects us to raise an exception on auth failure.
+      self.forgery_protection_strategy = protection_method_class(:exception)
+
+      # Logging from ActionController::RequestForgeryProtection is redundant.
+      # OmniAuth logs basically the same message (from the exception).
+      self.log_warning_on_csrf_failure = false
+
       def call(env)
         dup._call(env)
       end
 
       def _call(env)
         @request = ActionDispatch::Request.new(env.dup)
 
-        unless verified_request?
-          raise ActionController::InvalidAuthenticityToken
-        end
+        verify_authenticity_token
       end
 
       private
 
         attr_reader :request
         delegate :params, :session, to: :request
+
+        delegate :logger, to: OmniAuth
     end
   end
 end