Commits

Luke Plant  committed cc77c68

Implemented function to generate hidden input with CSRF token

  • Participants
  • Parent commits 61c8c55

Comments (0)

Files changed (2)

File src/Ella/Processors/Security.hs

                  -> CSRFProtection
 mkCSRFProtection baseCookie rejectView secret =
     let tokenName = "csrftoken"
+        requestEnvName = "csrftoken"
         makeCsrfToken = randomStr 20
-        getTokenFromReq req = fromJust $ Map.lookup "csrftoken" $ environment req
-        addTokenToReq req token = req { environment = Map.insert "csrftoken" token $ environment req }
+        getTokenFromReq req = fromJust $ Map.lookup requestEnvName $ environment req
+        mkTokenField req = "<input type=\"hidden\" name=\"" ++ tokenName ++ "\" value=\"" ++ getTokenFromReq req ++ "\" >"
+        addTokenToReq req token = req { environment = Map.insert requestEnvName token $ environment req }
 
         makeCsrfCookie token = do
           timestamp <- getTimestamp
             else normalProc
 
     in CSRFProtection { csrfProtectView = pview
-                      , csrfTokenField = undefined
+                      , csrfTokenField = mkTokenField
                       , csrfTokenName = tokenName
                       , csrfTokenValue = getTokenFromReq
                       }

File testsuite/Tests/Ella/Processors/Security.hs

       return ((BS.length $ content resp) > 1)
     ) ~? "csrf processor puts token into request environment"
 
+testCsrfTokenField =
+    (do
+      let req = mkGetReq "/foo/" `with` [ addCsrfCookie ]
+          -- view that extracts 'csrftoken' from request environment field
+          view = \req -> return $ Just $ buildResponse [ addContent $ utf8 $ csrfTokenField csrfProtection $ req ] utf8TextResponse
+      Just resp <- (csrfProtectView csrfProtection) view req
+      return (content resp == utf8 ("<input type=\"hidden\" name=\"csrftoken\" value=\"" ++ aCsrfToken ++ "\" >"))
+    ) ~? "csrf hidden input field is correct"
+
+
 tests = test [ testSignedCookiesProcessor1
              , testSignedCookiesProcessor2
              , testSignedCookiesProcessor3
              , testCsrfSetsOutgoingCookie
              , testCsrfSetsSameOutgoingCookie
              , testCsrfSetsTokenInRequestEnv
+             , testCsrfTokenField
              ]