15 |
15 |
16 local log = require "util.logger".init("web"); |
16 local log = require "util.logger".init("web"); |
17 |
17 |
18 local csrf_token_len = #uuid.generate(); |
18 local csrf_token_len = #uuid.generate(); |
19 |
19 |
|
20 -- Add a CSRF token to the view data and cookie (for verification on next request) |
20 local function check_csrf(event, viewdata) |
21 local function check_csrf(event, viewdata) |
21 local request, response = event.request, event.response; |
22 local request, response = event.request, event.response; |
22 web.unpack_cookies(request); |
23 web.unpack_cookies(request); |
23 local csrf_token = request.cookies.csrf_token; |
24 local csrf_token = request.cookies.csrf_token; |
24 log("debug", "csrf_token=%s", tostring(csrf_token)); |
25 log("debug", "csrf_token=%s", tostring(csrf_token)); |
25 if csrf_token and #csrf_token == csrf_token_len then |
26 if csrf_token and #csrf_token == csrf_token_len then |
|
27 -- We already have a CSRF token cookie |
26 viewdata.csrf_token = csrf_token; |
28 viewdata.csrf_token = csrf_token; |
27 else |
29 else |
28 csrf_token = uuid.generate(); |
30 csrf_token = uuid.generate(); |
29 viewdata.csrf_token = csrf_token; |
31 viewdata.csrf_token = csrf_token; |
30 web.set_cookie(response.headers, "csrf_token=" .. csrf_token .. "; Path="..config.base_path.."; HttpOnly"); |
32 web.set_cookie(response.headers, "csrf_token=" .. csrf_token .. "; Path="..config.base_path.."; HttpOnly"); |