actix-csrf-middleware 0.6.0

CSRF protection middleware for Actix Web applications. Supports double submit cookie and synchronizer token patterns (with actix-session) out of the box. Flexible, easy to configure, and includes test coverage for common attacks and edge cases.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

use actix_csrf_middleware::{
    CsrfMiddleware, CsrfMiddlewareConfig, CsrfPattern, DEFAULT_CSRF_TOKEN_HEADER,
};
use actix_web::test;

mod common;

#[actix_web::test]
async fn enforce_origin_allows_allowed_origin_double_submit() {
    let secret = b"good-origin-good-origin-good-origin-123";
    let cfg = CsrfMiddlewareConfig::double_submit_cookie(secret)
        .with_enforce_origin(true, vec!["https://good.example".to_string()]);
    let app = test::init_service(
        actix_web::App::new()
            .wrap(CsrfMiddleware::new(cfg))
            .configure(common::configure_routes),
    )
    .await;

    let (token, cookies) =
        common::token_and_cookies_for(&app, &CsrfPattern::DoubleSubmitCookie).await;

    let mut req = test::TestRequest::post().uri("/submit");
    for c in cookies {
        req = req.cookie(c);
    }
    req = req.insert_header((DEFAULT_CSRF_TOKEN_HEADER, token));
    req = req.insert_header(("Origin", "https://good.example"));

    let resp = test::call_service(&app, req.to_request()).await;
    assert!(resp.status().is_success());
}

#[actix_web::test]
async fn enforce_origin_blocks_disallowed_origin_double_submit() {
    let secret = b"good-origin-good-origin-good-origin-123";
    let cfg = CsrfMiddlewareConfig::double_submit_cookie(secret)
        .with_enforce_origin(true, vec!["https://good.example".to_string()]);
    let app = test::init_service(
        actix_web::App::new()
            .wrap(CsrfMiddleware::new(cfg))
            .configure(common::configure_routes),
    )
    .await;

    let (token, cookies) =
        common::token_and_cookies_for(&app, &CsrfPattern::DoubleSubmitCookie).await;

    let mut req = test::TestRequest::post().uri("/submit");
    for c in cookies {
        req = req.cookie(c);
    }
    req = req.insert_header((DEFAULT_CSRF_TOKEN_HEADER, token));
    req = req.insert_header(("Origin", "https://evil.example"));

    let resp = test::call_service(&app, req.to_request()).await;
    assert_eq!(resp.status(), actix_web::http::StatusCode::FORBIDDEN);
}

#[actix_web::test]
async fn enforce_origin_uses_referer_when_origin_absent_double_submit() {
    let secret = b"good-origin-good-origin-good-origin-123";
    let cfg = CsrfMiddlewareConfig::double_submit_cookie(secret)
        .with_enforce_origin(true, vec!["https://good.example".to_string()]);
    let app = test::init_service(
        actix_web::App::new()
            .wrap(CsrfMiddleware::new(cfg))
            .configure(common::configure_routes),
    )
    .await;

    let (token, cookies) =
        common::token_and_cookies_for(&app, &CsrfPattern::DoubleSubmitCookie).await;

    let mut req = test::TestRequest::post().uri("/submit");
    for c in cookies {
        req = req.cookie(c);
    }
    req = req.insert_header((DEFAULT_CSRF_TOKEN_HEADER, token));
    req = req.insert_header(("Referer", "https://good.example/path?q=1"));

    let resp = test::call_service(&app, req.to_request()).await;
    assert!(resp.status().is_success());
}