diff --git a/vlib/vweb/README.md b/vlib/vweb/README.md index 7e35e91e1f..aac791ea61 100644 --- a/vlib/vweb/README.md +++ b/vlib/vweb/README.md @@ -1039,68 +1039,6 @@ pub fn (mut app App) error() vweb.Result { } ``` # Cross-Site Request Forgery (CSRF) protection -## Provides protection against Cross-Site Request Forgery - -## Usage - -When building a csrf-protected service, first of all create a `struct`that implements `csrf.App` - -```v ignore -module main - -import vweb -import vweb.csrf - -// embeds the csrf.App struct in order to empower the struct to protect against CSRF -struct App { - csrf.App -} -``` - -Start a server e.g. in the main function. - -```v ignore -fn main() { - vweb.run_at(&App{}, vweb.RunParams{ - port: 8080 - }) or { panic(err) } -} -``` - -### Enable CSRF-protection - -Then add a handler-function to define on which route or on which site the CSRF-Token shall be set. - -```v ignore -fn (mut app App) index() vweb.Result { - - // Set a Csrf-Cookie (Token will be generated automatically) - app.set_csrf_cookie() - - // Get the token-value from the csrf-cookie that was just set - token := app.get_csrf_token() or { panic(err) } - - return app.text("Csrf-Token set! It's value is: $token") -} -``` - -If you want to set the cookies's HttpOnly-status to false in order to make it - accessible to scripts on your site, you can do it like this: -`app.set_csrf_cookie(csrf.HttpOnly{false})` -If no argument is passed the value will be set to true by default. - - -### Protect against CSRF - -If you want to protect a route or a site against CSRF just add -`app.csrf_protect()` at the beginning of the handler-function. - -```v ignore -fn (mut app App) foo() vweb.Result { - // Protect this handler-function against CSRF - app.csrf_protect() - return app.text("Checked and passed csrf-guard") -} -``` - +Vweb has built-in csrf protection. Go to the [csrf module](csrf/) to learn how +you can protect your app against CSRF. diff --git a/vlib/vweb/csrf/README.md b/vlib/vweb/csrf/README.md new file mode 100644 index 0000000000..a5031afe9f --- /dev/null +++ b/vlib/vweb/csrf/README.md @@ -0,0 +1,237 @@ +# Cross-Site Request Forgery (CSRF) protection + +This module implements the [double submit cookie][owasp] technique to protect routes +from CSRF attacks. + +CSRF is a type of attack that occurs when a malicious program/website (and others) causes +a user's web browser to perform an action without them knowing. A web browser automatically sends +cookies to a website when it performs a request, including session cookies. So if a user is +authenticated on your website the website can not distinguish a forged request by a legitimate +request. + +## When to not add CSRF-protection +If you are creating a service that is intended to be used by other servers e.g. an API, +you probably don't want CSRF-protection. An alternative would be to send an Authorization +token in, and only in, an HTTP-header (like JSON Web Tokens). If you do that your website +isn't vulnerable to CSRF-attacks. + +## Usage + +You can add `CsrfApp` to your own `App` struct to have the functions available +in your app's context, or you can use it with the middleware of vweb. + +The advantage of the middleware approach is that you have to define +the configuration separate from your `App`. This makes it possible to share the +configuration between modules or controllers. + +### Usage with the CsrfApp + +Change `secret` and `allowed_hosts` when creating the `CsrfApp`. + +**Example**: +```v ignore +module main + +import net.http +import vweb +import vweb.csrf + +struct App { + vweb.Context +pub mut: + csrf csrf.CsrfApp [vweb_global] +} + +fn main() { + app := &App{ + csrf: csrf.CsrfApp{ + // change the secret + secret: 'my-64bytes-secret' + // change to which domains you want to allow + allowed_hosts: ['*'] + } + } + vweb.run(app, 8080) +} + +pub fn (mut app App) index() vweb.Result { + // this line sets `app.token` and the cookie + app.csrf.set_token(mut app.Context) + return $vweb.html() +} + +[post] +pub fn (mut app App) auth() vweb.Result { + // this line protects the route against CSRF + app.csrf.protect(mut app.Context) + return app.text('authenticated!') +} +``` + +index.html +```html +
+``` + +### Usage without CsrfApp +If you use `vweb.Middleware` you can protect multiple routes at once. + +**Example**: +```v ignore +module main + +import net.http +import vweb +import vweb.csrf + +const ( + // the configuration moved here + csrf_config = csrf.CsrfConfig{ + // change the secret + secret: 'my-64bytes-secret' + // change to which domains you want to allow + allowed_hosts: ['*'] + } +) + +struct App { + vweb.Context +pub mut: + middlewares map[string][]vweb.Middleware +} + +fn main() { + app := &App{ + middlewares: { + // protect all routes starting with the url '/auth' + '/auth': [csrf.middleware(csrf_config)] + } + } + vweb.run(app, 8080) +} + +pub fn (mut app App) index() vweb.Result { + // get the token and set the cookie + csrftoken := csrf.set_token(mut app.Context, csrf_config) + return $vweb.html() +} + +[post] +pub fn (mut app App) auth() vweb.Result { + return app.text('authenticated!') +} + +[post] +pub fn (mut app App) register() vweb.Result { + // protect an individual route with the following line + csrf.protect(mut app.Context, csrf_config) + // ... +} +``` + +index.html (the hidden input has changed) +```html + +``` + +### Protect all routes +It is possible to protect all routes against CSRF-attacks. Every request that is not +defined as a [safe method](#safe-methods) (`GET`, `OPTIONS`, `HEAD` by default) +will have CSRF-protection. + +**Example**: +```v ignore +pub fn (mut app App) before_request() { + app.csrf.protect(mut app.Context) + // or if you don't use `CsrfApp`: + // csrf.protect(mut app.Context, csrf_config) +} +``` + +## How it works +This module implements the [double submit cookie][owasp] technique: a random token +is generated, the CSRF-token. The hmac of this token and the secret key is stored in a cookie. + +When a request is made, the CSRF-token should be placed inside a HTML form element. +The CSRF-token the hmac of the CSRF-token in the formdata is compared to the cookie. +If the values match, the request is accepted. + +This approach has the advantage of being stateless: there is no need to store tokens on the server +side and validate them. The token and cookie are bound cryptographically to each other so +an attacker would need to know both values in order to make a CSRF-attack succeed. That +is why is it important to **not leak the CSRF-token** via an url, or some other way. +See [client side CSRF][client-side-csrf] for more information. + +This is a high level overview of the implementation. + +## Security Considerations + +### The secret key +The secret key should be a random string that is not easily guessable. +The recommended size is 64 bytes. + +### Sessions +If your app supports some kind of user sessions, it is recommended to cryptographically +bind the CSRF-token to the users' session. You can do that by providing the name +of the session ID cookie. If an attacker changes the session ID in the cookie, in the +token or both the hmac will be different adn the request will be rejected. + +**Example**: +```v ignore +csrf_config = csrf.CsrfConfig{ + // ... + session_cookie: 'my_session_id_cookie_name' +} +``` + +### Safe Methods +The HTTP methods `GET`, `OPTIONS`, `HEAD` are considered +[safe methods][mozilla-safe-methods] meaning they should not alter the state of +an application. If a request with a "safe method" is made, the csrf protection will be skipped. + +You can change which methods are considered safe by changing `CsrfConfig.safe_methods`. + +### Allowed Hosts + +By default, both the http Origin and Referer headers are checked and matched strictly +to the values in `allowed_hosts`. That means that you need to include each subdomain. + +If the value of `allowed_hosts` contains the wildcard: `'*'` the headers will not be checked. + +#### Domain name matching +The following configuration will not allow requests made from `test.example.com`, +only from `example.com`. + +**Example** +```v ignore +config := csrf.CsrfConfig{ + secret: '...' + allowed_hosts: ['example.com'] +} +``` + +#### Referer, Origin header check +In some cases (like if your server is behind a proxy), the Origin or Referer header will +not be present. If that is your case you can set `check_origin_and_referer` to `false`. +Request will now be accepted when the Origin *or* Referer header is valid. + +### Share csrf cookie with subdomains +If you need to share the CSRF-token cookie with subdomains, you can set +`same_site` to `.same_site_lax_mode`. + +## Configuration + +All configuration options are defined in `CsrfConfig`. + +[//]: # (Sources) +[owasp]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie +[client-side-csrf]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#client-side-csrf +[mozilla-safe-methods]: https://developer.mozilla.org/en-US/docs/Glossary/Safe/HTTP \ No newline at end of file diff --git a/vlib/vweb/csrf/create_cookie.v b/vlib/vweb/csrf/create_cookie.v deleted file mode 100644 index 330abe6155..0000000000 --- a/vlib/vweb/csrf/create_cookie.v +++ /dev/null @@ -1,56 +0,0 @@ -module csrf - -import rand - -const chars = 'QWERTZUIOPASDFGHJKLYXCVBNMqwertzuiopasdfghjklyxcvbnm1234567890_-' - -const cookie_key = '__Host-Csrf-Token' - -// set_csrf_cookie - generates a CSRF-Token and sets the CSRF-Cookie. It is possible to set the HttpOnly-status of the cookie to false by adding an argument of the HttpOnly-struct like this: -// `app.set_csrf_cookie(csrf.HttpOnly{false})` -// If no argument is set, http_only will be set to `true`by default. -pub fn (mut app App) set_csrf_cookie(h ...HttpOnly) App { - mut http_only := true - if h.len > 0 { - http_only = h[0].http_only - } - cookie := create_cookie(http_only) - app = App{app.Context, cookie.value} - app.set_cookie(cookie) - return app -} - -// generate - generates the CSRF-Token -fn generate() string { - mut out := '' - for _ in 0 .. 42 { - i := rand.intn(csrf.chars.len_utf8()) or { - panic('Error while trying to generate Csrf-Token: ${err}') - } - out = out + csrf.chars[i..i + 1] - } - return out -} - -// create_cookie - creates the cookie -fn create_cookie(h bool) CsrfCookie { - return CsrfCookie{ - name: csrf.cookie_key - value: generate() - path: '/' - max_age: 0 - secure: true - http_only: h - } -} - -// get_csrf_token - returns the CSRF-Token that has been set. Make sure that you set one by using `set_csrf_cookie()`. If it's value is empty or no cookie has been generated, the function will throw an error. -pub fn (mut app App) get_csrf_token() ?string { - if app.csrf_cookie_value != '' { - return app.csrf_cookie_value - } else { - return CsrfError{ - m: 'The CSRF-Token-Value is empty. Please check if you have setted a cookie!' - } - } -} diff --git a/vlib/vweb/csrf/csrf.v b/vlib/vweb/csrf/csrf.v new file mode 100644 index 0000000000..37e9336fde --- /dev/null +++ b/vlib/vweb/csrf/csrf.v @@ -0,0 +1,205 @@ +module csrf + +import crypto.hmac +import crypto.sha256 +import encoding.base64 +import net.http +import net.urllib +import rand +import time +import vweb + +[params] +pub struct CsrfConfig { +pub: + secret string + // how long the random part of the csrf-token should be + nonce_length int = 64 + // HTTP "safe" methods meaning they shouldn't alter state. + // If a request with any of these methods is made, `protect` will always return true + // https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1 + safe_methods []http.Method = [.get, .head, .options] + // which hosts are allowed, enforced by checking the Origin and Referer header + // if allowed_hosts contains '*' the check will be skipped. + // Subdomains need to be included separately: a request from `"sub.example.com"` + // will be rejected when `allowed_host = ['example.com']`. + allowed_hosts []string + // if set to true both the Referer and Origin headers must match `allowed_hosts` + // else if either one is valid the request is accepted + check_origin_and_referer bool = true + // the name of the csrf-token in the hidden html input + token_name string = 'csrftoken' + // the name of the cookie that contains the session id + session_cookie string + // cookie options + cookie_name string = 'csrftoken' + same_site http.SameSite = .same_site_strict_mode + cookie_path string = '/' + // how long the cookie stays valid in seconds. Default is 30 days + max_age int = 60 * 60 * 24 * 30 + cookie_domain string +} + +pub struct CsrfApp { + CsrfConfig +pub mut: + // the csrftoken that should be placed in an html form + token string +} + +// set_token is the app wrapper for `set_token` +pub fn (mut app CsrfApp) set_token(mut ctx vweb.Context) { + app.token = set_token(mut ctx, app.CsrfConfig) +} + +// protect is the app wrapper for `protect` +pub fn (mut app CsrfApp) protect(mut ctx vweb.Context) bool { + return protect(mut ctx, app.CsrfConfig) +} + +// check_origin_and_referer is the app wrapper for `check_origin_and_referer` +fn (app &CsrfApp) check_origin_and_referer(ctx vweb.Context) bool { + return check_origin_and_referer(ctx, app.CsrfConfig) +} + +// middleware returns a function that you can use in `app.middlewares` +pub fn middleware(config &CsrfConfig) vweb.Middleware { + return fn [config] (mut ctx vweb.Context) bool { + return protect(mut ctx, config) + } +} + +// set_token returns the csrftoken and sets an encrypted cookie with the hmac of +// `config.get_secret` and the csrftoken +pub fn set_token(mut ctx vweb.Context, config &CsrfConfig) string { + expire_time := time.now().add_seconds(config.max_age) + session_id := ctx.get_cookie(config.session_cookie) or { '' } + + token := generate_token(expire_time.unix_time(), session_id, config.nonce_length) + cookie := generate_cookie(expire_time.unix_time(), token, config.secret) + + // the hmac key is set as a cookie and later validated with `app.token` that must + // be in an html form + ctx.set_cookie(http.Cookie{ + name: config.cookie_name + value: cookie + same_site: config.same_site + http_only: true + secure: true + path: config.cookie_path + expires: expire_time + max_age: config.max_age + }) + + return token +} + +// protect returns false and sends an http 401 response when the csrf verification +// fails. protect will always return true if the current request method is in +// `config.safe_methods`. +pub fn protect(mut ctx vweb.Context, config &CsrfConfig) bool { + // if the request method is a "safe" method we allow the request + if ctx.req.method in config.safe_methods { + return true + } + + // check origin and referer header + if check_origin_and_referer(ctx, config) == false { + request_is_invalid(mut ctx) + return false + } + + // use the session id from the cookie, not from the csrftoken + session_id := ctx.get_cookie(config.session_cookie) or { '' } + + actual_token := ctx.form[config.token_name] or { + request_is_invalid(mut ctx) + return false + } + // retrieve timestamp and nonce from csrftoken + data := base64.url_decode_str(actual_token).split('.') + if data.len < 3 { + request_is_invalid(mut ctx) + return false + } + + // check the timestamp from the csrftoken against the current time + // if an attacker would change the timestamp on the cookie, the token or both the + // hmac would also change. + now := time.now().unix_time() + expire_timestamp := data[0].i64() + if expire_timestamp < now { + // token has expired + request_is_invalid(mut ctx) + return false + } + + nonce := data.last() + expected_token := base64.url_encode_str('${expire_timestamp}.${session_id}.${nonce}') + + actual_hash := ctx.get_cookie(config.cookie_name) or { + request_is_invalid(mut ctx) + return false + } + // generate new hmac based on information in the http request + expected_hash := generate_cookie(expire_timestamp, expected_token, config.secret) + + // if the new hmac matches the cookie value the request is legit + if actual_hash != expected_hash { + request_is_invalid(mut ctx) + return false + } + + return true +} + +// check_origin_and_referer validates the `Origin` and `Referer` headers. +fn check_origin_and_referer(ctx vweb.Context, config &CsrfConfig) bool { + // wildcard allow all hosts NOT SAFE! + if '*' in config.allowed_hosts { + return true + } + + // only match host and match the full domain name + // because lets say `allowed_host` = `['example.com']`. + // Attackers shouldn't be able to bypass this check with the domain `example.com.attacker.com` + + origin := ctx.get_header('Origin') + origin_url := urllib.parse(origin) or { urllib.URL{} } + + valid_origin := origin_url.hostname() in config.allowed_hosts + + referer := ctx.get_header('Referer') + referer_url := urllib.parse(referer) or { urllib.URL{} } + + valid_referer := referer_url.hostname() in config.allowed_hosts + + if config.check_origin_and_referer { + return valid_origin && valid_referer + } else { + return valid_origin || valid_referer + } +} + +// request_is_invalid sends an http 403 response +fn request_is_invalid(mut ctx vweb.Context) { + ctx.set_status(403, '') + ctx.text('Forbidden: Invalid or missing CSRF token') +} + +fn generate_token(expire_time i64, session_id string, nonce_length int) string { + nonce := rand.string_from_set('0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz', + nonce_length) + token := '${expire_time}.${session_id}.${nonce}' + + return base64.url_encode_str(token) +} + +// generate_cookie converts secret key based on the request context and a random +// token into an hmac key +fn generate_cookie(expire_time i64, token string, secret string) string { + hash := base64.url_encode(hmac.new(secret.bytes(), token.bytes(), sha256.sum, sha256.block_size)) + cookie := '${expire_time}.${hash}' + + return cookie +} diff --git a/vlib/vweb/csrf/csrf_test.v b/vlib/vweb/csrf/csrf_test.v index 0e11ed8cf4..c9471bfc4b 100644 --- a/vlib/vweb/csrf/csrf_test.v +++ b/vlib/vweb/csrf/csrf_test.v @@ -1,30 +1,377 @@ import time import net.http +import net.html import vweb import vweb.csrf +import os -const sport = 10801 +const ( + sport = 12385 + localserver = '127.0.0.1:${sport}' + exit_after_time = 12000 // milliseconds + + session_id_cookie_name = 'session_id' + csrf_config = &csrf.CsrfConfig{ + secret: 'my-256bit-secret' + allowed_hosts: ['*'] + session_cookie: session_id_cookie_name + } + + allowed_origin = 'example.com' + csrf_config_origin = &csrf.CsrfConfig{ + secret: 'my-256bit-secret' + allowed_hosts: [allowed_origin] + session_cookie: session_id_cookie_name + } +) + +// Test CSRF functions +// ===================================== + +fn test_set_token() { + mut ctx := vweb.Context{} + + token := csrf.set_token(mut ctx, csrf_config) + + cookie := ctx.header.get(.set_cookie) or { '' } + assert cookie.len != 0 + assert cookie.starts_with('${csrf_config.cookie_name}=') +} + +fn test_protect() { + mut ctx := vweb.Context{} + + token := csrf.set_token(mut ctx, csrf_config) + + mut cookie := ctx.header.get(.set_cookie) or { '' } + // get cookie value from "name=value;" + cookie = cookie.split(' ')[0].all_after('=').replace(';', '') + + form := { + csrf_config.token_name: token + } + cookie_map := { + csrf_config.cookie_name: cookie + } + ctx = vweb.Context{ + form: form + req: http.Request{ + method: .post + cookies: cookie_map + } + } + valid := csrf.protect(mut ctx, csrf_config) + + assert valid == true +} + +fn test_timeout() { + timeout := 1 + short_time_config := &csrf.CsrfConfig{ + secret: 'my-256bit-secret' + allowed_hosts: ['*'] + session_cookie: session_id_cookie_name + max_age: timeout + } + + mut ctx := vweb.Context{} + + token := csrf.set_token(mut ctx, short_time_config) + + // after 2 seconds the cookie should expire (maxage) + time.sleep(2 * time.second) + mut cookie := ctx.header.get(.set_cookie) or { '' } + // get cookie value from "name=value;" + cookie = cookie.split(' ')[0].all_after('=').replace(';', '') + + form := { + short_time_config.token_name: token + } + cookie_map := { + short_time_config.cookie_name: cookie + } + ctx = vweb.Context{ + form: form + req: http.Request{ + method: .post + cookies: cookie_map + } + } + + valid := csrf.protect(mut ctx, short_time_config) + + assert valid == false +} + +fn test_valid_origin() { + // valid because both Origin and Referer headers are present + token, cookie := get_token_cookie('') + + form := { + csrf_config.token_name: token + } + cookie_map := { + csrf_config.cookie_name: cookie + } + + mut req := http.Request{ + method: .post + cookies: cookie_map + } + req.add_header(.origin, 'http://${allowed_origin}') + req.add_header(.referer, 'http://${allowed_origin}/test') + mut ctx := vweb.Context{ + form: form + req: req + } + + mut valid := csrf.protect(mut ctx, csrf_config_origin) + assert valid == true +} + +fn test_invalid_origin() { + // invalid because either the Origin, Referer or neither are present + token, cookie := get_token_cookie('') + + form := { + csrf_config.token_name: token + } + cookie_map := { + csrf_config.cookie_name: cookie + } + + mut req := http.Request{ + method: .post + cookies: cookie_map + } + req.add_header(.origin, 'http://${allowed_origin}') + mut ctx := vweb.Context{ + form: form + req: req + } + + mut valid := csrf.protect(mut ctx, csrf_config_origin) + assert valid == false + + req = http.Request{ + method: .post + cookies: cookie_map + } + req.add_header(.referer, 'http://${allowed_origin}/test') + ctx = vweb.Context{ + form: form + req: req + } + + valid = csrf.protect(mut ctx, csrf_config_origin) + assert valid == false + + req = http.Request{ + method: .post + cookies: cookie_map + } + ctx = vweb.Context{ + form: form + req: req + } + + valid = csrf.protect(mut ctx, csrf_config_origin) + assert valid == false +} + +// Testing App +// ================================ struct App { - csrf.App + vweb.Context +pub mut: + csrf csrf.CsrfApp [vweb_global] + middlewares map[string][]vweb.Middleware } -// index - will handle requests to path '/' -fn (mut app App) index() vweb.Result { - // Set a Csrf-Cookie(Token will be generated automatically) and set http_only-status. If no argument ist passed, it will be true by default. - app.set_csrf_cookie(csrf.HttpOnly{false}) - // Get the token-value from the csrf-cookie that was just setted - token := app.get_csrf_token() or { panic(err) } - return app.text("Csrf-Token set! It's value is: ${token}") +pub fn (mut app App) index() vweb.Result { + app.csrf.set_token(mut app.Context) + + return app.html('') } -fn test_send_a_request_to_homepage_expecting_a_csrf_cookie() { - spawn vweb.run_at(&App{}, vweb.RunParams{ port: sport }) - time.sleep(500 * time.millisecond) - res := http.get('http://localhost:${sport}/')! - if res.header.str().contains('__Host-Csrf-Token') { - assert true - } else { - assert false +[post] +pub fn (mut app App) auth() vweb.Result { + app.csrf.protect(mut app.Context) + + return app.ok('authenticated') +} + +pub fn (mut app App) middleware_index() vweb.Result { + csrftoken := csrf.set_token(mut app.Context, csrf_config) + + return app.html('') +} + +[post] +pub fn (mut app App) middleware_auth() vweb.Result { + return app.ok('middleware authenticated') +} + +// App cleanup function +// ====================================== + +pub fn (mut app App) shutdown() vweb.Result { + spawn app.gracefull_exit() + return app.ok('good bye') +} + +fn (mut app App) gracefull_exit() { + eprintln('>> webserver: gracefull_exit') + time.sleep(100 * time.millisecond) + exit(0) +} + +fn exit_after_timeout[T](mut app T, timeout_in_ms int) { + time.sleep(timeout_in_ms * time.millisecond) + eprintln('>> webserver: pid: ${os.getpid()}, exiting ...') + app.shutdown() + + eprintln('App timed out!') + assert true == false +} + +// Tests for the App +// ====================================== + +fn test_run_app_in_background() { + mut app := &App{ + csrf: csrf.CsrfApp{ + secret: 'my-256bit-secret' + allowed_hosts: [allowed_origin] + session_cookie: session_id_cookie_name + } + middlewares: { + '/middleware_auth': [csrf.middleware(csrf_config)] + } } + spawn vweb.run_at(app, port: sport, family: .ip) + spawn exit_after_timeout(mut app, exit_after_time) + + time.sleep(500 * time.millisecond) +} + +fn test_token_with_app() { + res := http.get('http://${localserver}/') or { panic(err) } + + mut doc := html.parse(res.body) + inputs := doc.get_tag_by_attribute_value('type', 'hidden') + assert inputs.len == 1 + assert csrf_config.token_name == inputs[0].attributes['name'] +} + +fn test_token_with_middleware() { + res := http.get('http://${localserver}/middleware_index') or { panic(err) } + + mut doc := html.parse(res.body) + inputs := doc.get_tag_by_attribute_value('type', 'hidden') + assert inputs.len == 1 + assert csrf_config.token_name == inputs[0].attributes['name'] +} + +// utility function to check whether the route at `path` is protected against csrf +fn protect_route_util(path string) { + mut req := http.Request{ + method: .post + url: 'http://${localserver}/${path}' + } + mut res := req.do() or { panic(err) } + assert res.status() == .forbidden + + // A valid request with CSRF protection should have a cookie session id, + // csrftoken in `app.form` and the hmac of that token in a cookie + session_id := 'user_session_id' + token, cookie := get_token_cookie(session_id) + + header := http.new_header_from_map({ + http.CommonHeader.origin: 'http://${allowed_origin}' + http.CommonHeader.referer: 'http://${allowed_origin}/route' + }) + + formdata := http.url_encode_form_data({ + csrf_config.token_name: token + }) + + // session id is altered: test if session hijacking is possible + // if the session id the csrftoken changes so the cookie can't be validated + mut cookies := { + csrf_config.cookie_name: cookie + session_id_cookie_name: 'altered' + } + + req = http.Request{ + method: .post + url: 'http://${localserver}/${path}' + data: formdata + cookies: cookies + header: header + } + + res = req.do() or { panic(err) } + assert res.status() == .forbidden + + // Everything is valid now and the request should succeed + cookies[session_id_cookie_name] = session_id + + req = http.Request{ + method: .post + url: 'http://${localserver}/${path}' + data: formdata + cookies: cookies + header: header + } + + res = req.do() or { panic(err) } + assert res.status() == .ok +} + +fn test_protect_with_app() { + protect_route_util('/auth') +} + +fn test_protect_with_middleware() { + protect_route_util('middleware_auth') +} + +fn testsuite_end() { + // This test is guaranteed to be called last. + // It sends a request to the server to shutdown. + x := http.get('http://${localserver}/shutdown') or { + assert err.msg() == '' + return + } + assert x.status() == .ok + assert x.body == 'good bye' +} + +// Utility functions + +fn get_token_cookie(session_id string) (string, string) { + mut ctx := vweb.Context{ + req: http.Request{ + cookies: { + session_id_cookie_name: session_id + } + } + } + + token := csrf.set_token(mut ctx, csrf_config_origin) + + mut cookie := ctx.header.get(.set_cookie) or { '' } + // get cookie value from "name=value;" + cookie = cookie.split(' ')[0].all_after('=').replace(';', '') + return token, cookie } diff --git a/vlib/vweb/csrf/protect.v b/vlib/vweb/csrf/protect.v deleted file mode 100644 index 2b460d51e6..0000000000 --- a/vlib/vweb/csrf/protect.v +++ /dev/null @@ -1,37 +0,0 @@ -module csrf - -import net.http - -// csrf_protect - protects a handler-function against CSRF. Should be set at the beginning of the handler-function. -pub fn (mut app App) csrf_protect() CheckedApp { - req_cookies := app.req.cookies.clone() - app_csrf_cookie_str := app.get_cookie(cookie_key) or { - // Do not return normally!! No Csrf-Token was set! - app.set_status(403, '') - return app.text('Error 403 - Forbidden') - } - - if cookie_key in req_cookies && req_cookies[cookie_key] == app_csrf_cookie_str { - // Csrf-Check OK - return app as normal in order to handle request normally - return app - } else if app.check_headers(app_csrf_cookie_str) { - // Csrf-Check OK - return app as normal in order to handle request normally - return app - } else { - // Do not return normally!! The client has not passed the Csrf-Check!! - app.set_status(403, '') - return app.text('Error 403 - Forbidden') - } -} - -// check_headers - checks if there is a CSRF-Token that was sent with the headers of a request -fn (app App) check_headers(app_csrf_cookie_str string) bool { - token := app.req.header.get_custom('Csrf-Token', http.HeaderQueryConfig{true}) or { - return false - } - if token == app_csrf_cookie_str { - return true - } else { - return false - } -} diff --git a/vlib/vweb/csrf/structs.v b/vlib/vweb/csrf/structs.v deleted file mode 100644 index 09b648b37a..0000000000 --- a/vlib/vweb/csrf/structs.v +++ /dev/null @@ -1,30 +0,0 @@ -// This module provides csrf-protection for apps written with libe vweb. - -module csrf - -import vweb -import net.http - -type CsrfCookie = http.Cookie - -interface CheckedApp {} - -pub struct App { - vweb.Context - csrf_cookie_value string -} - -pub struct HttpOnly { - http_only bool -} - -struct CsrfError { - Error - m string -} - -fn (err CsrfError) msg() string { - return err.m -} - -// Written by flopetautschnig (floscodes) 2022