Allow bypassing of CSRF valdiation when needed.

buffoonery.nimble

@@ -1,6 +1,6 @@
 # Package
 
-version       = "0.4.5"
+version       = "0.4.6"
 author        = "Jonathan Bernard"
 description   = "Jonathan's opinionated extensions and auth layer for Jester."
 license       = "MIT"

src/buffoonery/auth.nim

@@ -167,7 +167,7 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
     failAuth(getCurrentExceptionMsg(), getCurrentException())
 
 
-proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
+proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): JWT =
   ## Extracts a valid JWT representing the user's authentication and
   ## authorization details, if present. If there are no valid credentials an
   ## exception is raised.
@@ -191,6 +191,12 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
   ##
   ##   In the split-cookie mode we also check that the `csrfToken` claim in the
   ##   JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header.
+  ##   This CSRF check can be disabled by setting `validateCsrf` to `false`.
+  ##   This option is proivded to support occasional use-cases where you want to
+  ##   be able to serve a request using cookie auth when the client can't set
+  ##   custom headers (e.g. a simple link from an <a> tag). Obviously, this is a
+  ##   security risk and should only be used with caution with a full
+  ##   understanding of the risk.
 
   try:
     if req.headers.contains("Authorization"):
@@ -214,6 +220,7 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
 
       # Because this is a web session, check that the CSRF is present and
       # matches.
+      if validateCsrf:
         if not req.headers.contains("X-CSRF-TOKEN") or
            not result.claims["csrfToken"].isSome:
           failAuth "missing CSRF token"