gorails icon indicating copy to clipboard operation
gorails copied to clipboard

Published 20 hours ago verified publisher icon adjust

Csrf token?

Open romanoff opened this issue 9 years ago • 3 comments

What do you think about idea of adding tools here to manage csrf tokens?

Here are functions I think could be useful:

  1. Extract csrf token from session
  2. Generate masked csrf token (something like http://apidock.com/rails/ActionController/RequestForgeryProtection/masked_authenticity_token)
  3. Check if submitted masked csrf token corresponds to csrf token stored in session
  4. Generate new csrf token (maybe if session doesn't have one)

Would you accept pull request with package that implements some of the functions listed above?

romanoff avatar Dec 14 '15 07:12 romanoff

@romanoff, sounds interesting. My intention for this library was to pass e.g. devise authenticated user to Go backend. What is the use of passing CSRF token to the Go app?

andrewslotin avatar Dec 14 '15 09:12 andrewslotin

Let's say you want to render some slow pages in go (not with rails). If that page has some form (or maybe it has some dialog that submits post form), then you need csrf token (if endpoint form will be submitted to is still handled by rails). And the one that you actually need is masked_authenticity_token (it changes all the time). Also more complicated scenario could be if this page is the first page user landed on. In this case you will not only need masked_authenticity_token, but you will also need to generate and write csrf_token into a session.

romanoff avatar Dec 14 '15 19:12 romanoff

Sounds reasonable, please feel free to open a pull request.

andrewslotin avatar Dec 15 '15 10:12 andrewslotin