[Feature Request] CSRF protection #30

evandrodacs · 2024-01-27T04:41:36Z

Hi,
great project!

I would like to make a feature request: implement CSRF protection on fullmoon

For this, it would be necessary to implement two functions: one to generate the token and another to validate it later.

Thanks!

pkulchenko · 2024-01-27T06:29:07Z

@evandrodacs, agree; I've been looking into that with the API that may look like this:

token = makeCsrfToken([url,[tokenname]]) -- returns a token to be added to a template
get the value from the current csrf session cookie; generate if necessary; use session secret if not specified
url is to make the token to be per page instead of per session; pass true to make it per session? or rather pass nil to make it per session (default) and pass true to use the current path value?
valid = checkCsrfToken([tokenname][,403]) -- get the value from cookie; compare with the field value, return 403 error
should checkCsrfToken also accept the url value? if so, then the call is likely to be `checkCsrfToken([url,[tokenname]][,403])

evandrodacs · 2024-01-27T16:47:44Z

Hello, thank you for the quick response.

I always use CSRF tokens per session :)

For me, the two functions makeCsrfToken() and checkCsrfToken() without arguments solve my problem!

But you can make the argument optional, allowing true for the current path or a string URL.

pkulchenko self-assigned this Jan 27, 2024

Provide feedback