final class CSRF[F[_], G[_]] extends AnyRef

Middleware to avoid Cross-site request forgery attacks. More info on CSRF at: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

This middleware is modeled after the double submit cookie pattern: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookie

When a user authenticates, embedNew is used to send a random CSRF value as a cookie. (Alternatively, an authenticating service can be wrapped in withNewToken).

By default, for requests that are unsafe (PUT, POST, DELETE, PATCH), services protected by the validated method in the middleware will check that the csrf token is present in both the header headerName and the cookie cookieName. Due to the Same-Origin policy, an attacker will be unable to reproduce this value in a custom header, resulting in a 403 Forbidden response.

By default, requests with safe methods (such as GET, OPTIONS, HEAD) will have a new token embedded in them if there isn't one, or will receive a refreshed token based off of the previous token to mitigate the BREACH vulnerability. If a request contains an invalid token, regardless of whether it is a safe method, this middleware will fail it with 403 Forbidden. In this situation, your user(s) should clear their cookies for your page, to receive a new token.

The default can be overridden by modifying the predicate in validate. It will, by default, check if the method is safe. Thus, you can provide some whitelisting capability for certain kinds of requests.

We'd like to emphasize that you please follow proper design principles in creating endpoints, as to not mutate in what should otherwise be idempotent methods (i.e no dropping your DB in a GET method, or altering user data). Please do not use the CSRF protection from this middleware as a safety net for bad design.

Self Type
CSRF[F, G]
Source
CSRF.scala
Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By Inheritance
Inherited
  1. CSRF
  2. AnyRef
  3. Any
Implicitly
  1. by any2stringadd
  2. by StringFormat
  3. by Ensuring
  4. by ArrowAssoc
  1. Hide All
  2. Show All
Visibility
  1. Public
  2. All

Value Members

  1. final def !=(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  2. final def ##(): Int
    Definition Classes
    AnyRef → Any
  3. def +(other: String): String
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to any2stringadd[CSRF[F, G]] performed by method any2stringadd in scala.Predef.
    Definition Classes
    any2stringadd
  4. def ->[B](y: B): (CSRF[F, G], B)
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to ArrowAssoc[CSRF[F, G]] performed by method ArrowAssoc in scala.Predef.
    Definition Classes
    ArrowAssoc
    Annotations
    @inline()
  5. final def ==(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  6. final def asInstanceOf[T0]: T0
    Definition Classes
    Any
  7. def checkCSRFDefault(r: Request[G], http: F[Response[G]]): F[Response[G]]

    Check for CSRF validity for an unsafe action.

    Check for CSRF validity for an unsafe action.

    Check for the default header value

  8. def checkCSRFToken(r: Request[G], respAction: F[Response[G]], rawToken: String)(implicit F: Sync[F]): F[Response[G]]

    Check for CSRF validity for an unsafe action.

    Check for CSRF validity for an unsafe action.

    Exposed to users in case of manual plumbing of csrf token (i.e websocket or query param)

  9. def clone(): AnyRef
    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @native() @throws( ... )
  10. val cookieName: String
  11. def createRequestCookie(token: CSRFToken): RequestCookie
  12. def createResponseCookie(token: CSRFToken): ResponseCookie

    Create a Response cookie from a signed CSRF token

    Create a Response cookie from a signed CSRF token

    token

    the signed csrf token

  13. def embedInRequestCookie(r: Request[G], token: CSRFToken): Request[G]
  14. def embedInResponseCookie(r: Response[G], token: CSRFToken): Response[G]
  15. def embedNewInResponseCookie[M[_]](res: Response[G])(implicit arg0: Sync[M]): M[Response[G]]

    Embed a token into a response *

  16. def ensuring(cond: (CSRF[F, G]) ⇒ Boolean, msg: ⇒ Any): CSRF[F, G]
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to Ensuring[CSRF[F, G]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  17. def ensuring(cond: (CSRF[F, G]) ⇒ Boolean): CSRF[F, G]
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to Ensuring[CSRF[F, G]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  18. def ensuring(cond: Boolean, msg: ⇒ Any): CSRF[F, G]
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to Ensuring[CSRF[F, G]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  19. def ensuring(cond: Boolean): CSRF[F, G]
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to Ensuring[CSRF[F, G]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  20. final def eq(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef
  21. def equals(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  22. def extractRaw(rawToken: String): Either[CSRFCheckFailed, String]

    Decode our CSRF token, check the signature and extract the original token string to sign

  23. def filter(predicate: (Request[G]) ⇒ Boolean = _.method.isSafe, r: Request[G], http: Http[F, G]): F[Response[G]]

    Check predicate, then apply the correct csrf policy *

  24. def finalize(): Unit
    Attributes
    protected[java.lang]
    Definition Classes
    AnyRef
    Annotations
    @throws( classOf[java.lang.Throwable] )
  25. def formatted(fmtstr: String): String
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to StringFormat[CSRF[F, G]] performed by method StringFormat in scala.Predef.
    Definition Classes
    StringFormat
    Annotations
    @inline()
  26. def generateToken[M[_]](implicit F: Sync[M]): M[CSRFToken]

    Generate a new token *

  27. final def getClass(): Class[_]
    Definition Classes
    AnyRef → Any
    Annotations
    @native()
  28. def hashCode(): Int
    Definition Classes
    AnyRef → Any
    Annotations
    @native()
  29. val headerName: CaseInsensitiveString
  30. final def isInstanceOf[T0]: Boolean
    Definition Classes
    Any
  31. final def ne(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef
  32. final def notify(): Unit
    Definition Classes
    AnyRef
    Annotations
    @native()
  33. final def notifyAll(): Unit
    Definition Classes
    AnyRef
    Annotations
    @native()
  34. def refreshOrCreate[M[_]](r: Request[G])(implicit F: Sync[M]): EitherT[M, CSRFCheckFailed, CSRFToken]

    Extract a CsrfToken, if present, from the request, then try generate a new token signature, or fail with a validation error.

    Extract a CsrfToken, if present, from the request, then try generate a new token signature, or fail with a validation error. If not present, generate a new token

    returns

    newly refreshed token

  35. def refreshedToken[M[_]](r: Request[G])(implicit F: Sync[M]): EitherT[M, CSRFCheckFailed, CSRFToken]

    Extract a CsrfToken, if present, from the request, then try to generate a new token signature, or fail with a validation error

    Extract a CsrfToken, if present, from the request, then try to generate a new token signature, or fail with a validation error

    returns

    newly refreshed token

  36. def signToken[M[_]](rawToken: String)(implicit F: Sync[M]): M[CSRFToken]

    Sign our token using the current time in milliseconds as a nonce Signing and generating a token is potentially a unsafe operation if constructed with a bad key.

  37. final def synchronized[T0](arg0: ⇒ T0): T0
    Definition Classes
    AnyRef
  38. def toString(): String
    Definition Classes
    AnyRef → Any
  39. def validate(predicate: (Request[G]) ⇒ Boolean = _.method.isSafe): Middleware[F, Request[G], Response[G], Request[G], Response[G]]

    Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values, if the predicate is not satisfied

    Constructs a middleware that will check for the csrf token presence on both the proper cookie, and header values, if the predicate is not satisfied

    If it is a valid token, it will then embed a new one, to effectively randomize the complete token while avoiding the generation of a new secure random Id, to guard against [BREACH](http://breachattack.com/)

  40. final def wait(): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  41. final def wait(arg0: Long, arg1: Int): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws( ... )
  42. final def wait(arg0: Long): Unit
    Definition Classes
    AnyRef
    Annotations
    @native() @throws( ... )
  43. def [B](y: B): (CSRF[F, G], B)
    Implicit
    This member is added by an implicit conversion from CSRF[F, G] to ArrowAssoc[CSRF[F, G]] performed by method ArrowAssoc in scala.Predef.
    Definition Classes
    ArrowAssoc

Inherited from AnyRef

Inherited from Any

Inherited by implicit conversion any2stringadd from CSRF[F, G] to any2stringadd[CSRF[F, G]]

Inherited by implicit conversion StringFormat from CSRF[F, G] to StringFormat[CSRF[F, G]]

Inherited by implicit conversion Ensuring from CSRF[F, G] to Ensuring[CSRF[F, G]]

Inherited by implicit conversion ArrowAssoc from CSRF[F, G] to ArrowAssoc[CSRF[F, G]]

Ungrouped