7 CSRF
| (require koyo/csrf) | package: koyo-lib |
This module provides a wrapper function for protecting your application against CSRF attacks.
parameter
(current-csrf-token-generator generator) → void? generator : (-> non-empty-string?)
= generate-random-string
Contains the function that is used to generate new CSRF tokens.
parameter
(current-csrf-token) → (or/c #f non-empty-string?)
(current-csrf-token token) → void? token : (or/c #f non-empty-string?)
Holds the CSRF token for the current request. If the current
request handler was wrapped with wrap-csrf, then this is
guaranteed to contain a non-empty string.
parameter
→ (-> request? (or/c #f non-empty-string?)) (current-csrf-token-reader reader) → void? reader : (-> request? (or/c #f non-empty-string?))
Contains the function that is used to extract the current CSRF token
from the request. The default implementation tries to extract the
CSRF token from a header called x-csrf-token and, if that
fails, then it tries to get it from a binding called
csrf-token.
parameter
(current-csrf-error-handler handler) → void? handler : (-> request? response?)
Holds the request handler that is invoked when the request does not
contain a valid CSRF token. The default implementation returns a
403 Forbidden response along with some HTML describing the
issue.
procedure
((wrap-csrf sessions) handler)
→ (-> request? any/c ... response?) sessions : session-manager? handler : procedure?
Wraps a handler such that any incoming DELETE, POST or
PUT request that doesn’t contain a valid CSRF token is
rejected by passing the request to current-csrf-error-handler.
CSRF tokens are automatically generated and stored in each users’ sessions. If a user’s session already contains a CSRF token, then it is reused until the session expires.
This wrapper must be applied after wrap-session.