# HG changeset patch # User Matthew Wild # Date 1687465916 -3600 # Node ID b5c4b245e24c38bedad8a631529006696c72dc1c # Parent b284dc4816cdaa486385f062b77d5b5e6a16cd5e http: Add some helpful comments regarding auth/CSRF diff -r b284dc4816cd -r b5c4b245e24c src/http.lua --- a/src/http.lua Thu Jun 22 21:31:36 2023 +0100 +++ b/src/http.lua Thu Jun 22 21:31:56 2023 +0100 @@ -17,12 +17,14 @@ local csrf_token_len = #uuid.generate(); +-- Add a CSRF token to the view data and cookie (for verification on next request) local function check_csrf(event, viewdata) local request, response = event.request, event.response; web.unpack_cookies(request); local csrf_token = request.cookies.csrf_token; log("debug", "csrf_token=%s", tostring(csrf_token)); if csrf_token and #csrf_token == csrf_token_len then + -- We already have a CSRF token cookie viewdata.csrf_token = csrf_token; else csrf_token = uuid.generate();