Crate csrf [−] [src]

Crate providing cross-site request forgery (CSRF) protection primitives

Overview

csrf provides the basic building blocks you will need to implement CSRF protection for the web framework of your choice. csrf generates encrypyed, signed tokens and cookies, and verifies that they have not been tampered with and that they match.

This crate is used by iron-csrf and be used as a reference for using csrf in other applications.

Hello, CSRF.

A simple example of how to use this library is as follows.

extern crate csrf;
extern crate data_encoding;

use csrf::{AesGcmCsrfProtection, CsrfProtection};
use data_encoding::BASE64;

fn main() {
    let protect = AesGcmCsrfProtection::from_key(*b"01234567012345670123456701234567");

    let (token, cookie) = protect.generate_token_pair(None, 300)
        .expect("couldn't generate token/cookie pair");

    let token_str = token.b64_string();
    let cookie_str = cookie.b64_string();

    // add them to outgoing response

    // wait for incoming connection

    // extract them from an incoming request

    let token_bytes = BASE64.decode(token_str.as_bytes()).expect("token not base64");
    let cookie_bytes= BASE64.decode(cookie_str.as_bytes()).expect("cookie not base64");

    let parsed_token = protect.parse_token(&token_bytes).expect("token not parsed");
    let parsed_cookie = protect.parse_cookie(&cookie_bytes).expect("cookie not parsed");

    assert!(protect.verify_token_pair(&parsed_token, &parsed_cookie));
}

Warning

CSRF protection is not a substitute for authentication or authorization. It only exists to prevent malicious entities from forcing users to take actions they did not intend. If this is unclear, please read the Wikipedia article.

Structs

AesGcmCsrfProtection	Uses AES-GCM to provide signed, encrypted CSRF tokens and cookies.
ChaCha20Poly1305CsrfProtection	Uses ChaCha20Poly1305 to provide signed, encrypted CSRF tokens and cookies.
CsrfCookie	A signed, encrypted CSRF cookie that is suitable to be displayed to end users.
CsrfToken	A signed, encrypted CSRF token that is suitable to be displayed to end users.
HmacCsrfProtection	Uses HMAC to provide authenticated CSRF tokens and cookies.
UnencryptedCsrfCookie	Internal represenation of an unencrypted CSRF cookie. This is not suitable to send to end users.
UnencryptedCsrfToken	Internal represenation of an unencrypted CSRF token. This is not suitable to send to end users.

Enums

CsrfError

An enum of all CSRF related errors.

Constants

CSRF_COOKIE_NAME	The name of the cookie for the CSRF validation data and signature.
CSRF_FORM_FIELD	The name of the form field for the CSRF token.
CSRF_HEADER	The name of the HTTP header for the CSRF token.
CSRF_QUERY_STRING	The name of the query parameter for the CSRF token.

Traits

CsrfProtection

The base trait that allows a developer to add CSRF protection to an application.