jdb/buffoonery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow bypassing of CSRF valdiation when needed.

Browse Source
This commit is contained in:
Jonathan Bernard 2025-02-04 17:54:07 -06:00
parent e4c7524d3d
commit 7bc77ac7d7
2 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
buffoonery.nimble
View File

@ -1,6 +1,6 @@
# Package # Package
version = "0.4.5" version = "0.4.6"
author = "Jonathan Bernard" author = "Jonathan Bernard"
description = "Jonathan's opinionated extensions and auth layer for Jester." description = "Jonathan's opinionated extensions and auth layer for Jester."
license = "MIT" license = "MIT"

19
src/buffoonery/auth.nim
View File

@ -167,7 +167,7 @@ proc validateJWT*(ctx: ApiAuthContext, jwt: JWT) =
failAuth(getCurrentExceptionMsg(), getCurrentException()) failAuth(getCurrentExceptionMsg(), getCurrentException())
proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT = proc extractValidJwt*(ctx: ApiAuthContext, req: Request, validateCsrf = true): JWT =
## Extracts a valid JWT representing the user's authentication and ## Extracts a valid JWT representing the user's authentication and
## authorization details, if present. If there are no valid credentials an ## authorization details, if present. If there are no valid credentials an
## exception is raised. ## exception is raised.
@ -191,6 +191,12 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
## ##
## In the split-cookie mode we also check that the `csrfToken` claim in the ## In the split-cookie mode we also check that the `csrfToken` claim in the
## JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header. ## JWT payload matches the CSRF value passed via the `X-CSRF-TOKEN` header.
## This CSRF check can be disabled by setting `validateCsrf` to `false`.
## This option is proivded to support occasional use-cases where you want to
## be able to serve a request using cookie auth when the client can't set
## custom headers (e.g. a simple link from an <a> tag). Obviously, this is a
## security risk and should only be used with caution with a full
## understanding of the risk.
try: try:
if req.headers.contains("Authorization"): if req.headers.contains("Authorization"):
@ -214,12 +220,13 @@ proc extractValidJwt*(ctx: ApiAuthContext, req: Request): JWT =
# Because this is a web session, check that the CSRF is present and # Because this is a web session, check that the CSRF is present and
# matches. # matches.
if not req.headers.contains("X-CSRF-TOKEN") or if validateCsrf:
not result.claims["csrfToken"].isSome: if not req.headers.contains("X-CSRF-TOKEN") or
failAuth "missing CSRF token" not result.claims["csrfToken"].isSome:
failAuth "missing CSRF token"
if req.headers["X-CSRF-TOKEN"] != result.claims["csrfToken"].get.getStr(""): if req.headers["X-CSRF-TOKEN"] != result.claims["csrfToken"].get.getStr(""):
failAuth "invalid CSRF token" failAuth "invalid CSRF token"
else: failAuth "no auth token, no Authorization or Cookie headers" else: failAuth "no auth token, no Authorization or Cookie headers"