1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
//! Crate providing cross-site request forgery (CSRF) protection primitives //! //! ## Overview //! `csrf` provides the basic building blocks you will need to implement CSRF protection for the //! web framework of your choice. `csrf` generates encrypyed, signed tokens and cookies, and //! verifies that they have not been tampered with and that they match. //! //! This crate is used by [iron-csrf](https://crates.io/crates/iron-csrf) and be used as a //! reference for using `csrf` in other applications. //! //! ## Hello, CSRF. //! //! A simple example of how to use this library is as follows. //! //! ``` //! extern crate csrf; //! extern crate data_encoding; //! //! use csrf::{AesGcmCsrfProtection, CsrfProtection}; //! use data_encoding::BASE64; //! //! fn main() { //! let protect = AesGcmCsrfProtection::from_key(*b"01234567012345670123456701234567"); //! //! let (token, cookie) = protect.generate_token_pair(None, 300) //! .expect("couldn't generate token/cookie pair"); //! //! let token_str = token.b64_string(); //! let cookie_str = cookie.b64_string(); //! //! // add them to outgoing response //! //! // wait for incoming connection //! //! // extract them from an incoming request //! //! let token_bytes = BASE64.decode(token_str.as_bytes()).expect("token not base64"); //! let cookie_bytes= BASE64.decode(cookie_str.as_bytes()).expect("cookie not base64"); //! //! let parsed_token = protect.parse_token(&token_bytes).expect("token not parsed"); //! let parsed_cookie = protect.parse_cookie(&cookie_bytes).expect("cookie not parsed"); //! //! assert!(protect.verify_token_pair(&parsed_token, &parsed_cookie)); //! } //! ``` //! //! ## Warning //! CSRF protection is not a substitute for authentication or authorization. It *only* exists to //! prevent malicious entities from forcing users to take actions they did not intend. If this is //! unclear, please read the [Wikipedia //! article](https://en.wikipedia.org/wiki/Cross-site_request_forgery). #![deny(missing_docs)] extern crate crypto; extern crate data_encoding; #[macro_use] extern crate log; extern crate ring; extern crate time; #[cfg(feature = "iron")] extern crate typemap; mod core; pub use core::*;