Safe Haskell	None
Language	GHC2021

Wai.CSRF

Contents

Token
Masked token

Description

This module exports tool to prevent cross-site request forgeries in Network.Wai. Consider using it in combination with Wai.CryptoCookie.

Synopsis

data Config = Config {
- cookieName :: ByteString
- headerName :: ByteString
- reject :: Request -> Maybe (Token, Bool) -> Maybe Response
}
defaultConfig :: Config
tokenFromRequestHeader :: Config -> Request -> Maybe Token
tokenFromRequestCookie :: Config -> Request -> Maybe Token
setCookie :: Config -> Token -> SetCookie
expireCookie :: Config -> SetCookie
middleware :: Config -> (Maybe Token -> Application) -> Application
newtype Token = Token (SizedByteArray 32 ByteString)
randomToken :: MonadRandom m => m Token
tokenToBase64UU :: Token -> ByteString
tokenFromBase64UU :: ByteString -> Maybe Token
newtype MaskedToken = MaskedToken (SizedByteArray 64 Bytes)
maskedTokenToBase64UU :: MaskedToken -> ByteString
maskedTokenFromBase64UU :: ByteString -> Maybe MaskedToken
randomMaskToken :: MonadRandom m => Token -> m MaskedToken
unmaskToken :: MaskedToken -> Token

Documentation

data Config Source #

Config common to middleware, tokenFromRequestHeader and tokenFromRequestCookie.

Consider using defaultConfig and updating desired fields only.

Constructors

Config

Fields

cookieName :: ByteString
Used by tokenFromRequestCookie, setCookie, expireCookie and middleware.
headerName :: ByteString
Used by tokenFromRequestHeader and middleware.
reject :: Request -> Maybe (Token, Bool) -> Maybe Response
Used by middleware. Decide whether the incoming Request should be rejected with a given Response. Takes the Token that came in through a cookie (see Config's cookieName), if any, as well as a Bool which is True if there is a matching Token that came in through a header (see Config's headerName).
If the token comes through the request body (see MaskedToken), then it is sometimes best not to reject the request here, and instead check and potentially reject the request downstream, so as to preserve the streaming nature of processing the request body.
Notice that nothing in Maybe (Token, Bool) has been evaluated by the time reject is called, so unless you force their evaluation, using middleware is essentially free.

defaultConfig :: Config Source #

Default CSRF settings.

Cookie name is CSRF-TOKEN.
Header name is X-CSRF-TOKEN.
Reject with forbidden403 all request who are neither GET, HEAD, OPTIONS nor TRACE, unless the Token is present in both cookie and header and they are equal.

tokenFromRequestHeader :: Config -> Request -> Maybe Token Source #

Obtain the Token from the Request headers.

You don't need to use this if you are using middleware.

tokenFromRequestCookie :: Config -> Request -> Maybe Token Source #

Obtain the Token from the Request cookies.

You don't need to use this if you are using middleware.

setCookie :: Config -> Token -> SetCookie Source #

Construct a SetCookie to set the CSRF Token.

The SetCookie has these settings, some of which could be overriden.

Cookie name is Config's cookieName.
HttpOnly: No, and you shouldn't change this.
Max-Age and Expires: This cookie never expires. We recommend relying on server-side expiration instead, as the lifetime of the cookie could easily be extended by a legitimate but malicious client. It is recommended that you rotate the Token each time a new user session is established.
Path: /
SameSite: Lax.
Secure: Yes.
Domain: Not set.

expireCookie :: Config -> SetCookie Source #

Construct a SetCookie expiring the cookie named Config's cookieName.

middleware :: Config -> (Maybe Token -> Application) -> Application Source #

Construct a Middleware (almost) that does the following:

Try to find the CSRF Token among the incoming Request cookies (see Config's cookieName).
Use Config's reject to decide if the incoming Request should be rejected.
If the Request wasn't rejected, we pass the Token found in the cookie, if any, to the underlying Application.

Important: This doesn't set any cookie. You must explicitly add setCookie to a Response yourself.

Token

newtype Token Source #

CSRF token.

It is safe to send and receive the Token through HTTP cookies and headers.
If you need to send or receive the Token as part of the request or response body, use MaskedToken instead.

Constructors

Token (SizedByteArray 32 ByteString)

Instances

Instances details

Show Token Source #
Instance details Defined in Wai.CSRF Methods showsPrec :: Int -> Token -> ShowS # show :: Token -> String # showList :: [Token] -> ShowS #
Eq Token Source #
Instance details Defined in Wai.CSRF Methods (==) :: Token -> Token -> Bool # (/=) :: Token -> Token -> Bool #

randomToken :: MonadRandom m => m Token Source #

A CSRF token is just random 32 bytes. Its meaning and validity depends on how and whether you tie it to a user session.

tokenToBase64UU :: Token -> ByteString Source #

tokenFromBase64UU . tokenToBase64UU  ==  Just

tokenFromBase64UU :: ByteString -> Maybe Token Source #

tokenFromBase64UU . tokenToBase64UU  ==  Just

Masked token

newtype MaskedToken Source #

If you embed a Token as is in a response body when HTTP body compression is enabled, it is possible for a malicious actor to recover the Token through a BREACH attack or similar. In order to prevent that, send a different MaskedToken (generated with randomMaskToken) each time instead.

Constructors

MaskedToken (SizedByteArray 64 Bytes)

Instances

Instances details

Show MaskedToken Source #
Instance details Defined in Wai.CSRF Methods showsPrec :: Int -> MaskedToken -> ShowS # show :: MaskedToken -> String # showList :: [MaskedToken] -> ShowS #
Eq MaskedToken Source #
Instance details Defined in Wai.CSRF Methods (==) :: MaskedToken -> MaskedToken -> Bool # (/=) :: MaskedToken -> MaskedToken -> Bool #

maskedTokenToBase64UU :: MaskedToken -> ByteString Source #

maskedTokenFromBase64UU . maskedTokenToBase64UU  ==  Just

maskedTokenFromBase64UU :: ByteString -> Maybe MaskedToken Source #

maskedTokenFromBase64UU . maskedTokenToBase64UU  ==  Just

randomMaskToken :: MonadRandom m => Token -> m MaskedToken Source #

unmaskToken <$> randomMaskToken tok and pure tok produce the same output tok.

unmaskToken :: MaskedToken -> Token Source #

unmaskToken <$> randomMaskToken tok and pure tok produce the same output tok.