ferro-rs 0.2.15

A Laravel-inspired web framework for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! CSRF protection middleware

use crate::http::{HttpResponse, Response};
use crate::middleware::{Middleware, Next};
use crate::session::get_csrf_token;
use crate::Request;
use async_trait::async_trait;

/// CSRF protection middleware
///
/// Validates CSRF tokens on state-changing requests (POST, PUT, PATCH, DELETE).
///
/// # Token Sources
///
/// The middleware looks for the CSRF token in the following order:
/// 1. `X-CSRF-TOKEN` header (used by Inertia.js)
/// 2. `X-XSRF-TOKEN` header (Laravel convention)
/// 3. `_token` form field (traditional forms)
///
/// # Usage
///
/// ```rust,ignore
/// use ferro_rs::{global_middleware, CsrfMiddleware};
///
/// global_middleware!(CsrfMiddleware::new());
/// ```
pub struct CsrfMiddleware {
    /// HTTP methods that require CSRF validation
    protected_methods: Vec<&'static str>,
    /// Paths to exclude from CSRF validation (e.g., webhooks)
    except: Vec<String>,
}

impl CsrfMiddleware {
    /// Create a new CSRF middleware with default settings
    ///
    /// Protects: POST, PUT, PATCH, DELETE
    pub fn new() -> Self {
        Self {
            protected_methods: vec!["POST", "PUT", "PATCH", "DELETE"],
            except: Vec::new(),
        }
    }

    /// Add paths to exclude from CSRF validation
    ///
    /// Useful for webhooks or API endpoints that use other authentication.
    ///
    /// # Example
    ///
    /// ```rust,ignore
    /// let csrf = CsrfMiddleware::new()
    ///     .except(vec!["/webhooks/*", "/api/external/*"]);
    /// ```
    pub fn except(mut self, paths: Vec<impl Into<String>>) -> Self {
        self.except = paths.into_iter().map(|p| p.into()).collect();
        self
    }

    /// Check if a path should be excluded from CSRF validation
    fn is_excluded(&self, path: &str) -> bool {
        for pattern in &self.except {
            if pattern.ends_with('*') {
                let prefix = &pattern[..pattern.len() - 1];
                if path.starts_with(prefix) {
                    return true;
                }
            } else if pattern == path {
                return true;
            }
        }
        false
    }
}

impl Default for CsrfMiddleware {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait]
impl Middleware for CsrfMiddleware {
    async fn handle(&self, request: Request, next: Next) -> Response {
        let method = request.method().as_str();

        // Only validate state-changing requests
        if !self.protected_methods.contains(&method) {
            return next(request).await;
        }

        // Check if path is excluded
        if self.is_excluded(request.path()) {
            return next(request).await;
        }

        // Get expected token from session
        let expected_token = match get_csrf_token() {
            Some(token) => token,
            None => {
                return Err(HttpResponse::json(serde_json::json!({
                    "message": "Session not found. CSRF validation failed."
                }))
                .status(500));
            }
        };

        // Get provided token from request
        // Check headers first (Inertia.js and AJAX)
        let provided_token = request
            .header("X-CSRF-TOKEN")
            .or_else(|| request.header("X-XSRF-TOKEN"))
            .map(|s| s.to_string());

        match provided_token {
            Some(token) if constant_time_compare(&token, &expected_token) => {
                // Token is valid
                next(request).await
            }
            _ => {
                // Token mismatch or missing
                // Return 419 status (Laravel convention)
                Err(HttpResponse::json(serde_json::json!({
                    "message": "CSRF token mismatch."
                }))
                .status(419))
            }
        }
    }
}

/// Constant-time string comparison to prevent timing attacks
///
/// This ensures an attacker can't determine how much of the token is correct
/// based on response time.
fn constant_time_compare(a: &str, b: &str) -> bool {
    if a.len() != b.len() {
        return false;
    }

    a.bytes()
        .zip(b.bytes())
        .fold(0, |acc, (x, y)| acc | (x ^ y))
        == 0
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_constant_time_compare() {
        assert!(constant_time_compare("abc123", "abc123"));
        assert!(!constant_time_compare("abc123", "abc124"));
        assert!(!constant_time_compare("abc123", "abc12"));
        assert!(!constant_time_compare("", "a"));
    }

    #[test]
    fn test_is_excluded() {
        let csrf = CsrfMiddleware::new().except(vec!["/webhooks/*", "/api/public"]);

        assert!(csrf.is_excluded("/webhooks/stripe"));
        assert!(csrf.is_excluded("/webhooks/github/events"));
        assert!(csrf.is_excluded("/api/public"));
        assert!(!csrf.is_excluded("/api/private"));
        assert!(!csrf.is_excluded("/login"));
    }
}