Added a simple csrf token middleware.

2024-11-10 00:52:11 +01:00 · 2022-01-09 15:25:55 +01:00 · 2022-01-09 15:25:55 +01:00 · 8e903f2695
commit 8e903f2695
parent 4c6e02d07f
4 changed files with 95 additions and 0 deletions
--- a/core/http/csrf_token.cpp
+++ b/core/http/csrf_token.cpp
@ -0,0 +1,49 @@
+#include "csrf_token.h"
+
+#include "core/hash/sha256.h"
+#include "http_session.h"
+#include "request.h"
+
+bool CSRFTokenMiddleware::on_before_handle_request_main(Request *request) {
+	switch (request->get_method()) {
+		case HTTP_METHOD_POST:
+		case HTTP_METHOD_DELETE:
+		case HTTP_METHOD_PATCH:
+		case HTTP_METHOD_PUT: {
+
+			if (!request->session.is_valid()) {
+				request->send_error(HTTP_STATUS_CODE_401_UNAUTHORIZED);
+				return true;
+			}
+
+			if (!request->validate_csrf_token()) {
+				request->send_error(HTTP_STATUS_CODE_401_UNAUTHORIZED);
+				return true;
+			}
+
+			break;
+		}
+		default:
+			break;
+	}
+
+	// don't create the session itself
+	if (!request->session.is_valid()) {
+		return false;
+	}
+
+	if (!request->has_csrf_token()) {
+		request->set_csrf_token(create_token());
+	}
+
+	return false;
+}
+
+String CSRFTokenMiddleware::create_token() {
+	return "test";
+}
+
+CSRFTokenMiddleware::CSRFTokenMiddleware() {
+}
+CSRFTokenMiddleware::~CSRFTokenMiddleware() {
+}
--- a/core/http/csrf_token.h
+++ b/core/http/csrf_token.h
@ -0,0 +1,21 @@
+#ifndef CSRF_TOKEN_H
+#define CSRF_TOKEN_H
+
+#include "middleware.h"
+
+class Request;
+
+class CSRFTokenMiddleware : public Middleware {
+	RCPP_OBJECT(CSRFTokenMiddleware, Middleware);
+
+public:
+	//returnring true means handled, false means continue
+	bool on_before_handle_request_main(Request *request);
+
+	virtual String create_token();
+
+	CSRFTokenMiddleware();
+	~CSRFTokenMiddleware();
+};
+
+#endif
--- a/core/http/request.cpp
+++ b/core/http/request.cpp
@ -40,6 +40,29 @@ String Request::get_csrf_token() {
 	return "";
 }

+void Request::set_csrf_token(const String &value) {
+	if (session.is_valid()) {
+		session->add("csrf_token", value);
+	}
+}
+
+bool Request::validate_csrf_token() {
+	String param_token = get_parameter("csrf_token");
+	param_token.trim();
+
+	if (param_token == "") {
+		return false;
+	}
+
+	String token = get_csrf_token();
+
+	if (token == "") {
+		return false;
+	}
+
+	return param_token == token;
+}
+
 const String Request::get_cookie(const String &key) {
 	static String str(0);
 	return str;
--- a/core/http/request.h
+++ b/core/http/request.h
@ -42,6 +42,8 @@ public:
 	
 	bool has_csrf_token();
 	String get_csrf_token();
+	void set_csrf_token(const String &value);
+	bool validate_csrf_token();

 	virtual const String get_cookie(const String &key);
 	virtual void add_cookie(const ::Cookie &cookie);