kemal-csrf v1.1.0
kemal-csrf
Adds CSRF protection to your Kemal application.
Requires a session middleware to be initialized first.
Installation
Add this to your application's shard.yml
:
dependencies:
kemal-csrf:
github: kemalcr/kemal-csrf
Usage
Basic Use
require "kemal-csrf"
add_handler CSRF.new
To access the CSRF token of the active session you can do the following in your .ecr form(s)
<input type="hidden" name="authenticity_token" value='<%= env.session.string("csrf") %>'>
You can also change the name of the form field, header name, the methods which don't need csrf,error message and routes which you don't want csrf to apply. All of these are optional
require "kemal-csrf"
add_handler CSRF.new(
header: "X_CSRF_TOKEN",
allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
allowed_routes: ["/api/somecallback", "/api/v1/**"],
parameter_name: "_csrf",
error: "CSRF Error",
http_only: false,
samesite: nil,
)
If you need to have some logic within your error response, you can also pass it a proc (a pointer to a function)
require "kemal-csrf"
add_handler CSRF.new(
header: "X_CSRF_TOKEN",
allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
allowed_routes: ["/api/somecallback", "/api/v1/**"],
parameter_name: "_csrf",
error: ->myerrorhandler(HTTP::Server::Context)
)
def myerrorhandler(env)
if env.request.headers["Content-Type"]? == "application/json"
{"error" => "csrf error"}.to_json
else
"<html><head><title>Error</title><body><h1>You cannot post to this route without a valid csrf token</h1></body></html>"
end
end
Contributing
- Fork it ( https://github.com/kemalcr/kemal-csrf/fork )
- Create your feature branch (git checkout -b my-new-feature)
- Commit your changes (git commit -am 'Add some feature')
- Push to the branch (git push origin my-new-feature)
- Create a new Pull Request
Contributors
- sdogruyol Serdar Dogruyol - creator, maintainer
Repository
kemal-csrf
Owner
Statistic
- 25
- 21
- 2
- 8
- 2
- 8 months ago
- November 24, 2016
License
MIT License
Links
Synced at
Fri, 08 Nov 2024 01:58:37 GMT
Languages