Allow to change the key of CSRF token in a session.

2025-03-05 09:21:39 -05:00 · 2018-04-12 17:20:55 +09:00 · 2018-04-12 17:20:55 +09:00 · 9ae2c5df7c
commit 9ae2c5df7c
parent 23c372594b
1 changed files with 21 additions and 17 deletions
--- a/src/middleware/csrf.lisp
+++ b/src/middleware/csrf.lisp
@ -11,23 +11,27 @@
           :csrf-html-tag))
 (in-package :lack.middleware.csrf)

+(defvar *csrf-token-key*)
+
 (defparameter *lack-middleware-csrf*
-  (lambda (app &key (block-app #'return-400) one-time)
+  (lambda (app &key (block-app #'return-400) one-time
+            (csrf-token-key :csrf-token))
    (lambda (env)
-      (block nil
-        (unless (danger-method-p (getf env :request-method))
-          (return (funcall app env)))
+      (let ((*csrf-token-key* csrf-token-key))
+        (block nil
+          (unless (danger-method-p (getf env :request-method))
+            (return (funcall app env)))

-        (let ((session (getf env :lack.session)))
-          (unless session
-            (error ":lack.session is missing in ENV. Wrap this app up with lack.middleware.session"))
+          (let ((session (getf env :lack.session)))
+            (unless session
+              (error ":lack.session is missing in ENV. Wrap this app up with lack.middleware.session"))

-          (if (valid-token-p env)
-              (progn
-                (when one-time
-                  (remhash :csrf-token session))
-                (funcall app env))
-              (funcall block-app env))))))
+            (if (valid-token-p env)
+                (progn
+                  (when one-time
+                    (remhash csrf-token-key session))
+                  (funcall app env))
+                (funcall block-app env)))))))
  "Middleware for easy CSRF protection")

 (defun return-400 (env)
@ -44,7 +48,7 @@

 (defun valid-token-p (env)
  (let ((req (make-request env))
-        (csrf-token (gethash :csrf-token
+        (csrf-token (gethash *csrf-token-key*
                             (getf env :lack.session))))
    (and csrf-token
         (let ((recieved-csrf-token
@ -52,9 +56,9 @@
           (string= csrf-token recieved-csrf-token)))))

 (defun csrf-token (session)
-  (unless (gethash :csrf-token session)
-    (setf (gethash :csrf-token session) (generate-random-id)))
-  (gethash :csrf-token session))
+  (unless (gethash *csrf-token-key* session)
+    (setf (gethash *csrf-token-key* session) (generate-random-id)))
+  (gethash *csrf-token-key* session))

 (defun csrf-html-tag (session)
  (format nil "<input type=\"hidden\" name=\"_csrf_token\" value=\"~A\">"