Mercurial > lua-web-app / file comparison
comparison: src/http.lua
src/http.lua
- changeset 18
- b5c4b245e24c
- parent 16
- 68a0c983bf49
equal
deleted
inserted
replaced
| 17:b284dc4816cd | 18:b5c4b245e24c |
|---|---|
| 15 | 15 |
| 16 local log = require "util.logger".init("web"); | 16 local log = require "util.logger".init("web"); |
| 17 | 17 |
| 18 local csrf_token_len = #uuid.generate(); | 18 local csrf_token_len = #uuid.generate(); |
| 19 | 19 |
| 20 -- Add a CSRF token to the view data and cookie (for verification on next request) | |
| 20 local function check_csrf(event, viewdata) | 21 local function check_csrf(event, viewdata) |
| 21 local request, response = event.request, event.response; | 22 local request, response = event.request, event.response; |
| 22 web.unpack_cookies(request); | 23 web.unpack_cookies(request); |
| 23 local csrf_token = request.cookies.csrf_token; | 24 local csrf_token = request.cookies.csrf_token; |
| 24 log("debug", "csrf_token=%s", tostring(csrf_token)); | 25 log("debug", "csrf_token=%s", tostring(csrf_token)); |
| 25 if csrf_token and #csrf_token == csrf_token_len then | 26 if csrf_token and #csrf_token == csrf_token_len then |
| 27 -- We already have a CSRF token cookie | |
| 26 viewdata.csrf_token = csrf_token; | 28 viewdata.csrf_token = csrf_token; |
| 27 else | 29 else |
| 28 csrf_token = uuid.generate(); | 30 csrf_token = uuid.generate(); |
| 29 viewdata.csrf_token = csrf_token; | 31 viewdata.csrf_token = csrf_token; |
| 30 web.set_cookie(response.headers, "csrf_token=" .. csrf_token .. "; Path="..config.base_path.."; HttpOnly"); | 32 web.set_cookie(response.headers, "csrf_token=" .. csrf_token .. "; Path="..config.base_path.."; HttpOnly"); |
