[nop][#406] Clarify client+server docstrings re: csrf-token

taoensso · Jul 25, 2022 · 841b33e · 841b33e
1 parent b84cfa5
commit 841b33e
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/src/taoensso/sente.cljc b/src/taoensso/sente.cljc
@@ -383,7 +383,9 @@
     :allowed-origins   ; e.g. #{\"http://site.com\" ...}, defaults to :all. ; Alpha
 
     :csrf-token-fn     ; ?(fn [ring-req]) -> CSRF-token for Ajax POSTs and WS handshake.
-                       ; CSRF check will be skipped iff nil (NOT RECOMMENDED!).
+                       ; nil => CSRF check will be DISABLED (can pose a *CSRF SECURITY RISK*
+                       ; for website use cases, so please ONLY disable this check if you're
+                       ; very sure you understand the implications!).
 
     :authorized?-fn    ; ?(fn [ring-req]) -> When non-nil, (authorized?-fn <ring-req>)
                        ; must return truthy, otherwise connection requests will be
@@ -1667,8 +1669,8 @@
 
      Required arguments:
        path              ; Channel socket server route/path (typically `/chsk`)
-       ?csrf-token-or-fn ; CSRF token string or (fn [])->string to match token
-                         ; expected by server.
+       ?csrf-token-or-fn ; CSRF string or (fn [])->string to match token expected by server.
+                         ; nil => server not expecting any CSRF token.
 
      Common options:
        :type           ; e/o #{:auto :ws :ajax}. You'll usually want the default (:auto).