crissy 0.1.1

CSRF protection middleware for Axum
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312

#![cfg_attr(docsrs, feature(doc_cfg))]

//! # crissy
//!
//! `crissy` is a middleware for [axum](https://crates.io/crates/axum) that protects
//! (browser-facing) web resources from cross-site request forgery (CSRF) attacks.
//!
//! ## Usage
//!
//! In short:
//!
//! - Pick a [`middleware`] and layer it in
//! - Extract [`CsrfToken`]
//! - Add [`CsrfToken::expected_csrf_token`] to your form
//! - Call [`CsrfToken::validate`] in your form handler
//!
//! For example:
//!
//! ```
//! use axum::{
//!     Form, Router,
//!     response::{Html, IntoResponse},
//!     routing::get,
//! };
//! use crissy::CsrfToken;
//! use serde::Deserialize;
//! use tokio::net::TcpListener;
//!
//! # #[cfg(feature = "cookie")]
//! let app = Router::<()>::new()
//!     .route("/", get(route_index).post(route_post))
//!     .layer(axum::middleware::from_fn(crissy::middleware::cookie));
//! // Run `app` as usual
//!
//! async fn route_index(csrf: CsrfToken) -> impl IntoResponse {
//!     Html(format!(
//!         r#"<form method="POST">
//!     <input type="hidden" name="csrf_token" value="{csrf}"/>
//!     <button type="submit">Submit</button>
//! </form>"#,
//!         csrf = csrf.expected_csrf_token,
//!     ))
//! }
//!
//! #[derive(Deserialize)]
//! struct Body {
//!     csrf_token: String,
//! }
//! async fn route_post(csrf: CsrfToken, body: Form<Body>) -> Result<impl IntoResponse, crissy::Error> {
//!     csrf.validate(&body.csrf_token)?;
//!     Ok("validation successful!")
//! }
//! ```
//!
//! ## Feature flags
//!
//! crissy supports the following feature flags:
//!
//! | Name        | Default | Description                |
//! |-------------|---------|----------------------------|
//! | `cookie`    | Yes     | [`middleware::cookie`]     |
//! | `client_ip` | No      | [`middleware::client_ip`]  |
//! | `full`      | No      | Enables all feature flags. |

#[cfg(feature = "client_ip")]
mod client_address;

use axum::{extract::FromRequestParts, http::StatusCode, response::IntoResponse};
use snafu::{OptionExt as _, Snafu};

#[derive(Debug, Snafu)]
pub enum Error {
    /// invalid CSRF token
    InvalidCsrf,
    /// no crissy middleware enabled
    NoMiddleware,
}

impl Error {
    pub fn status_code(&self) -> StatusCode {
        match self {
            Self::InvalidCsrf => StatusCode::BAD_REQUEST,
            Self::NoMiddleware => StatusCode::INTERNAL_SERVER_ERROR,
        }
    }
}
impl IntoResponse for Error {
    fn into_response(self) -> axum::response::Response {
        (self.status_code(), format!("{self}")).into_response()
    }
}

/// Users must use exactly one middleware from this module, which is responsible for
/// generating and maintaining the CSRF tokens.
///
/// Typically, you should prefer [`middleware::cookie`].
pub mod middleware {
    #[cfg(feature = "client_ip")]
    use std::{net::IpAddr, sync::Arc};

    #[cfg(feature = "client_ip")]
    use axum::extract::State;
    #[cfg(any(feature = "cookie", feature = "client_ip"))]
    use axum::{extract::Request, middleware::Next, response::IntoResponse};
    #[cfg(feature = "cookie")]
    use axum_extra::extract::{CookieJar, cookie::Cookie};

    #[cfg(any(feature = "cookie", feature = "client_ip"))]
    use crate::CsrfToken;
    #[cfg(feature = "client_ip")]
    use crate::client_address::ClientAddress;

    /// Configuration required by [`client_ip`], to be implemented over your [`State`].
    #[cfg(feature = "client_ip")]
    pub trait ClientIpConfig {
        /// Pepper used to prevent attackers from forging their own CSRF tokens.
        ///
        /// Should be configured to use a relatively static but high-quality random value.
        ///
        /// Rotating this key will invalidate all existing CSRF tokens.
        fn csrf_secret_key(&self) -> &[u8];

        /// Checks whether a client is a trusted reverse proxy that should be allowed to
        /// impersonate another IP address by sending an
        /// [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For)
        /// header.
        ///
        /// `crissy` allows nested forwarding; the whole chain will be followed up until the
        /// first untrusted forwarder.
        ///
        /// If this check is too narrow then all clients will be given the same CSRF token
        /// (based on your reverse proxy's IP address).
        /// If it is too broad then untrusted clients can forge arbitrary tokens simply
        /// by sending their own `X-Forwarded-For` header.
        ///
        /// # Reference implementations
        ///
        /// If there is no reverse proxy then this function should be configured to always return `false`.
        ///
        /// If the only reverse proxy is running on localhost then it should return [`addr.is_loopback()`](`IpAddr::is_loopback`).
        ///
        /// # Caveats
        ///
        /// Keep in mind that hostnames (including `localhost`) may often resolve to *both* IPv4 and IPv6
        /// addresses.
        ///
        /// If so, this function *must* be consistent across both.
        fn is_trusted_forwarder(&self, addr: IpAddr) -> bool;
    }
    #[cfg(feature = "client_ip")]
    impl<S: ClientIpConfig> ClientIpConfig for Arc<S> {
        fn csrf_secret_key(&self) -> &[u8] {
            S::csrf_secret_key(self)
        }
        fn is_trusted_forwarder(&self, addr: IpAddr) -> bool {
            S::is_trusted_forwarder(self, addr)
        }
    }

    /// Generates CSRF tokens based on the client's IP address.
    ///
    /// This can be used to enable CSRF protection in contexts where cookies are not available,
    /// for whatever reasons. If cookies *are* available, prefer [`cookie`] instead.
    ///
    /// Note that this does not (by itself) validate the tokens!
    /// That must be done by calling [`CsrfToken::validate`].
    ///
    /// # Requirements
    ///
    /// This implementation requires that the request supports [`axum::extract::ConnectInfo`],
    /// such as by using [`axum::Router::into_make_service_with_connect_info`].
    ///
    /// # Security Caveats
    ///
    /// Before using this strategy, READ THIS WHOLE SECTION.
    /// This method is easy to misconfigure, rendering it effectively useless.
    ///
    /// ## Salting
    ///
    /// IP addresses are peppered with a global secret key, in order to prevent
    /// third parties from generating their own tokens.
    ///
    /// See [`ClientIpConfig::csrf_secret_key`].
    ///
    /// ## Reverse Proxies
    ///
    /// This strategy requires clients to know the client's "true" IP address,
    /// which is often obscured by reverse proxies.
    ///
    /// Hence, any reverse proxy *must* be configured to send the
    /// [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For)
    /// header, and `crissy` must be configured to trust it by implementing [`ClientIpConfig::is_trusted_forwarder`].
    ///
    /// Otherwise, all clients will unconditionally end up being given the same CSRF token
    /// (for the reverse proxy's IP address).
    ///
    /// ## Network Address Translation/IP Reuse
    ///
    /// This strategy can only know about IP addresses, which these days often
    /// cover whole households, and [sometimes](https://en.wikipedia.org/wiki/Carrier-grade_NAT)
    /// even unrelated blocks of users.
    ///
    /// Users with the same IP address will be given the same CSRF token,
    /// and hence be able to mount CSRF attacks against each others.
    ///
    /// # SemVer
    ///
    /// Note that the exact signature is *unstable*, and may change without future SemVer bumps!
    /// The only thing that is safe to rely on is that it can be used with [`axum::middleware::from_fn_with_state`].
    #[cfg(feature = "client_ip")]
    pub async fn client_ip<S: ClientIpConfig>(
        state: State<S>,
        client_addr: ClientAddress,
        mut request: Request,
        next: Next,
    ) -> impl IntoResponse {
        use sha2::{Digest, Sha256};

        let mut hash = Sha256::new_with_prefix("csrftoken ");
        hash.update(state.csrf_secret_key());
        hash.update(" ");
        hash.update(client_addr.address.to_string());
        request.extensions_mut().insert(CsrfToken {
            expected_csrf_token: format!("{:x}", hash.finalize()),
        });
        next.run(request).await
    }

    /// Generates random CSRF tokens and stores them in user cookies.
    ///
    /// This method should be preferred whenever cookies are available.
    ///
    /// Note that this does not (by itself) validate the tokens!
    /// That must be done by calling [`CsrfToken::validate`].
    ///
    /// # SemVer
    ///
    /// Note that the exact signature is *unstable*, and may change without future SemVer bumps!
    /// The only thing that is safe to rely on is that it can be used with [`axum::middleware::from_fn`].
    #[cfg(feature = "cookie")]
    pub async fn cookie(
        mut cookie_jar: CookieJar,
        mut request: Request,
        next: Next,
    ) -> impl IntoResponse {
        use crate::random_csrf_token;

        const COOKIE_NAME: &str = "CRISSY_CSRF_TOKEN";
        let csrf_token = if let Some(cookie) = cookie_jar.get(COOKIE_NAME) {
            cookie.value().to_string()
        } else {
            let token = random_csrf_token();
            cookie_jar = cookie_jar.add(
                Cookie::build((COOKIE_NAME, token.clone()))
                    .permanent()
                    .path("/")
                    .http_only(true)
                    .secure(true)
                    .build(),
            );
            token
        };
        request.extensions_mut().insert(CsrfToken {
            expected_csrf_token: csrf_token,
        });
        (cookie_jar, next.run(request).await)
    }
}

/// The client's active CSRF token.
///
/// You *must* use a [`middleware`] that is responsible for injecting the `CsrfToken` into the request.
#[derive(Clone)]
pub struct CsrfToken {
    pub expected_csrf_token: String,
}

impl<S> FromRequestParts<S> for CsrfToken {
    type Rejection = Error;

    fn from_request_parts(
        parts: &mut axum::http::request::Parts,
        _state: &S,
    ) -> impl Future<Output = Result<Self, Self::Rejection>> + Send {
        std::future::ready(
            parts
                .extensions
                .get::<CsrfToken>()
                .cloned()
                .context(NoMiddlewareSnafu),
        )
    }
}
impl CsrfToken {
    /// Validates that the submitted CSRF token matches the client's expected CSRF token.
    pub fn validate(&self, form_csrf_token: &str) -> Result<(), Error> {
        if form_csrf_token != self.expected_csrf_token {
            tracing::debug!(
                csrf.session = self.expected_csrf_token,
                csrf.form = form_csrf_token,
                "invalid CSRF token"
            );
            return InvalidCsrfSnafu.fail();
        }
        Ok(())
    }
}

#[cfg(feature = "cookie")]
fn random_csrf_token() -> String {
    format!("{:x}", rand::random::<u128>())
}