1
0
mirror of https://github.com/vlang/v.git synced 2023-08-10 21:13:21 +03:00
v/vlib/vweb/csrf
2022-09-21 19:45:43 +03:00
..
create_cookie.v vweb.csrf: add a README.md, correct doc comments for public functions (#15697) 2022-09-08 13:20:29 +03:00
csrf_test.v tests: make error handling the same as the main function (#15825) 2022-09-21 19:45:43 +03:00
protect.v vweb: adding a vweb.csrf protection module (#15586) 2022-09-06 13:18:39 +03:00
README.md vweb.csrf: add a README.md, correct doc comments for public functions (#15697) 2022-09-08 13:20:29 +03:00
structs.v vweb: adding a vweb.csrf protection module (#15586) 2022-09-06 13:18:39 +03:00

vweb.csrf - Provides protection against Cross-site request forgery (CSRF)

for web apps written with vweb

Usage

When building a csrf-protected service, first of all create a structthat implements csrf.App

module main

import vweb
import vweb.csrf

// embeds the csrf.App struct in order to empower the struct to protect against CSRF
struct App {
	csrf.App
}

Start a server e.g. in the main function.

fn main() {
	vweb.run_at(&App{}, vweb.RunParams{
        port: 8080
    }) or { panic(err) }
}

Enable CSRF-protection

Then add a handler-function to define on which route or on which site the CSRF-Token shall be set.

fn (mut app App) index() vweb.Result {

    // Set a Csrf-Cookie (Token will be generated automatically)
	app.set_csrf_cookie()

	// Get the token-value from the csrf-cookie that was just setted
	token := app.get_csrf_token() or { panic(err) }

	return app.text("Csrf-Token set! It's value is: $token")
}

If you want to set the cookies's HttpOnly-status to false in order to make it
accessible to scripts on your site, you can do it like this: app.set_csrf_cookie(csrf.HttpOnly{false}) If no argument is passed the value will be set to true by default.

Protect against CSRF

If you want to protect a route or a site against CSRF just add
app.csrf_protect() at the beginning of the handler-function.

fn (mut app App) foo() vweb.Result {
    // Protect this handler-function against CSRF
	app.csrf_protect()
	return app.text("Checked and passed csrf-guard")
}