iron-csrf 0.0.4

CSRF protection for the web framework Iron
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

//! Crate providing cross-site request forgery (CSRF) protection for Iron.
//!
//! ## Overview
//!
//! `iron_csrf` is used as `iron::BeforeMiddleware` that checks all requests with
//! the HTTP method POST, PUT, PATCH, and DELETE for the presence of a CSRF token,
//! and it generates tokens that can be used inside the application for use when
//! generating the `Response`.
//!
//! ## Hello, world.
//!
//! The following is a simple server that prints the contents of the CSRF token. It
//! demonstrates how to chain the middleware and access the string contents of the
//! `CsrfToken`.
//!
//! ```
//! extern crate iron;
//! extern crate iron_csrf;
//! extern crate ring;
//!
//! use iron::prelude::*;
//! use iron::status;
//! use iron_csrf::{CsrfProtectionMiddleware, HmacCsrfProtection, CsrfToken};
//! use ring::{digest, hmac};
//! use ring::rand::SystemRandom;
//!
//! fn main() {
//!     // Make a key
//!     // Note: You will want to load a persistent key in production
//!     let rng = SystemRandom::new();
//!     let key = hmac::SigningKey::generate(&digest::SHA512, &rng).unwrap();
//!
//!     // Set up CSRF protection with tokens with a short TTL
//!     let protect = HmacCsrfProtection::new(key, Some(300));
//!     let middleware = CsrfProtectionMiddleware::new(protect);
//!
//!     // Set up routes
//!     let mut chain = Chain::new(|request: &mut Request| {
//!         let token = request.extensions.get::<CsrfToken>().unwrap();
//!         let msg = format!("Hello, CSRF Token: {}", token.b64_string());
//!         Ok(Response::with((status::Ok, msg)))
//!     });
//!     chain.link_before(middleware);
//!
//!     // Make and start the server
//!     Iron::new(chain); //.http("localhost:8080").unwrap();
//! }
//!
//! ```
//!
//! ## Protection
//! There are three ways that `iron_csrf` checks for the presence of a CSRF token.
//!
//! - The field `csrf-token` in requests with `Content-Type: multipart/form-data`
//! - The query parameter `csrf-token`
//! - The header `X-CSRF-Token`
//!
//! The selection is done short circuit, so the first present wins, and retrieval
//! only fails if the token is not present in any of the fields.
//!
//! Tokens have a time to live (TTL) that defaults to 3600 seconds. If a token is
//! stale, validation will fail.
//!
//! In the provided implementations, tokens are cryptographically signed, so tampering
//! with a token or its signature will cause the validation to fail.
//!
//! Validation failures will return a `403 Forbidden`.


extern crate chrono;
#[macro_use]
extern crate hyper;
extern crate iron;
extern crate ring;
extern crate rustc_serialize;
extern crate untrusted;
extern crate urlencoded;

mod csrf;
mod middleware;

pub use csrf::{CsrfProtection, HmacCsrfProtection, Ed25519CsrfProtection, CsrfToken};
pub use middleware::{CsrfProtectionMiddleware, XCsrfToken};