Add CSRF hidden field helper
This commit is contained in:
parent
096138d6a1
commit
7fabccd90a
27
site/doc/pages/csrf_field.txt
Normal file
27
site/doc/pages/csrf_field.txt
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
:sig
|
||||||
|
String csrf_field(String session_name = "uce-session", String token_name = "csrf_token", String field_name = "")
|
||||||
|
|
||||||
|
:params
|
||||||
|
session_name : session/cookie name to store the token under
|
||||||
|
token_name : form/action token namespace
|
||||||
|
field_name : submitted POST field name; defaults to `token_name`
|
||||||
|
return value : HTML hidden input containing the active CSRF token
|
||||||
|
|
||||||
|
:content
|
||||||
|
Starts the named session if needed and returns the standard hidden form input for a CSRF token. The field name and generated token value are HTML-escaped.
|
||||||
|
|
||||||
|
Use this in ordinary server-rendered POST forms when the submitted field name should match `token_name`, or pass `field_name` when several forms share the same submitted parameter name but need separate token namespaces. Validate the submitted value with `csrf_valid(context.post[field_name], session_name, token_name)` before mutating state.
|
||||||
|
|
||||||
|
:example
|
||||||
|
?><form method="post">
|
||||||
|
<?= csrf_field("uce-doc-session") ?>
|
||||||
|
<?= csrf_field("uce-doc-session", "profile_form", "csrf_token") ?>
|
||||||
|
<button type="submit">Save</button>
|
||||||
|
</form><?
|
||||||
|
|
||||||
|
:see
|
||||||
|
>http
|
||||||
|
csrf_token
|
||||||
|
csrf_valid
|
||||||
|
csrf_rotate
|
||||||
|
session_start
|
||||||
@ -21,6 +21,7 @@ String token = csrf_token("uce-doc-session");
|
|||||||
:see
|
:see
|
||||||
>http
|
>http
|
||||||
csrf_valid
|
csrf_valid
|
||||||
|
csrf_field
|
||||||
csrf_rotate
|
csrf_rotate
|
||||||
session_start
|
session_start
|
||||||
random_bytes
|
random_bytes
|
||||||
|
|||||||
@ -37,6 +37,8 @@ RENDER(Request& context)
|
|||||||
URI port_uri = parse_uri("https://example.test:8443/status");
|
URI port_uri = parse_uri("https://example.test:8443/status");
|
||||||
String generated_session = session_id_create();
|
String generated_session = session_id_create();
|
||||||
String csrf = "";
|
String csrf = "";
|
||||||
|
String csrf_html = "";
|
||||||
|
String csrf_named_html = "";
|
||||||
String csrf_rotated = "";
|
String csrf_rotated = "";
|
||||||
bool csrf_ok = false;
|
bool csrf_ok = false;
|
||||||
bool csrf_bad = false;
|
bool csrf_bad = false;
|
||||||
@ -45,6 +47,8 @@ RENDER(Request& context)
|
|||||||
if(action != "destroy")
|
if(action != "destroy")
|
||||||
{
|
{
|
||||||
csrf = csrf_token("uce-site-tests", "http_form");
|
csrf = csrf_token("uce-site-tests", "http_form");
|
||||||
|
csrf_html = csrf_field("uce-site-tests", "http_form");
|
||||||
|
csrf_named_html = csrf_field("uce-site-tests", "http_form", "csrf_token");
|
||||||
csrf_ok = csrf_valid(csrf, "uce-site-tests", "http_form");
|
csrf_ok = csrf_valid(csrf, "uce-site-tests", "http_form");
|
||||||
csrf_bad = csrf_valid("not-" + csrf, "uce-site-tests", "http_form");
|
csrf_bad = csrf_valid("not-" + csrf, "uce-site-tests", "http_form");
|
||||||
csrf_rotate("uce-site-tests", "http_form");
|
csrf_rotate("uce-site-tests", "http_form");
|
||||||
@ -76,7 +80,11 @@ RENDER(Request& context)
|
|||||||
check("session_start()", session_id != "", "session_id=" + session_id);
|
check("session_start()", session_id != "", "session_id=" + session_id);
|
||||||
check("session_id_create()", generated_session.length() >= 16, generated_session);
|
check("session_id_create()", generated_session.length() >= 16, generated_session);
|
||||||
if(action != "destroy")
|
if(action != "destroy")
|
||||||
|
{
|
||||||
check("csrf_token() / csrf_valid() / csrf_rotate()", csrf.length() >= 32 && csrf_ok && !csrf_bad && !csrf_old_after_rotate && csrf_new_after_rotate, "csrf=" + csrf + " rotated=" + csrf_rotated);
|
check("csrf_token() / csrf_valid() / csrf_rotate()", csrf.length() >= 32 && csrf_ok && !csrf_bad && !csrf_old_after_rotate && csrf_new_after_rotate, "csrf=" + csrf + " rotated=" + csrf_rotated);
|
||||||
|
check("csrf_field()", csrf_html == "<input type=\"hidden\" name=\"http_form\" value=\"" + csrf + "\">", csrf_html);
|
||||||
|
check("csrf_field() custom field name", csrf_named_html == "<input type=\"hidden\" name=\"csrf_token\" value=\"" + csrf + "\">", csrf_named_html);
|
||||||
|
}
|
||||||
|
|
||||||
if(action == "destroy")
|
if(action == "destroy")
|
||||||
check("session_destroy()", session_dump.find("suite") == String::npos && context.session_id == "" && context.session_name == "" && !file_exists(session_path), session_dump + " path=" + session_path);
|
check("session_destroy()", session_dump.find("suite") == String::npos && context.session_id == "" && context.session_name == "" && !file_exists(session_path), session_dump + " path=" + session_path);
|
||||||
|
|||||||
@ -885,6 +885,13 @@ String csrf_token(String session_name, String token_name)
|
|||||||
return(context->session[key]);
|
return(context->session[key]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String csrf_field(String session_name, String token_name, String field_name)
|
||||||
|
{
|
||||||
|
token_name = first(trim(token_name), "csrf_token");
|
||||||
|
field_name = first(trim(field_name), token_name);
|
||||||
|
return("<input type=\"hidden\" name=\"" + html_escape(field_name) + "\" value=\"" + html_escape(csrf_token(session_name, token_name)) + "\">");
|
||||||
|
}
|
||||||
|
|
||||||
bool csrf_valid(String submitted_token, String session_name, String token_name)
|
bool csrf_valid(String submitted_token, String session_name, String token_name)
|
||||||
{
|
{
|
||||||
session_start(session_name);
|
session_start(session_name);
|
||||||
|
|||||||
@ -34,6 +34,7 @@ void save_session_data(String session_id, StringMap data);
|
|||||||
String session_start(String session_name = "uce-session");
|
String session_start(String session_name = "uce-session");
|
||||||
void session_destroy(String session_name = "uce-session");
|
void session_destroy(String session_name = "uce-session");
|
||||||
String csrf_token(String session_name = "uce-session", String token_name = "csrf_token");
|
String csrf_token(String session_name = "uce-session", String token_name = "csrf_token");
|
||||||
|
String csrf_field(String session_name = "uce-session", String token_name = "csrf_token", String field_name = "");
|
||||||
bool csrf_valid(String submitted_token, String session_name = "uce-session", String token_name = "csrf_token");
|
bool csrf_valid(String submitted_token, String session_name = "uce-session", String token_name = "csrf_token");
|
||||||
void csrf_rotate(String session_name = "uce-session", String token_name = "csrf_token");
|
void csrf_rotate(String session_name = "uce-session", String token_name = "csrf_token");
|
||||||
String ws_make_accept_key(String client_key);
|
String ws_make_accept_key(String client_key);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user