Generation and verification of CSRF prevention tokens.

Add the following dependency to Cargo.toml.

csrf-token = { git = "ssh://[email protected]/future-science-research/csrf-token.git", branch="v0.2.x" }

Clone this repository and checkout the latest stable version.

$ git clone https://github.com/future-science-research/csrf-token.git
$ cd csrf-token
$ git checkout master

Then run the example.

$ cargo run --example main

Access http://localhost:8080/. The form to post a message is shown.

A CSRF prevention token is attached to the form as a hidden input. Check the source code of the web page.

<input type="hidden" name="csrf_token" value="486d8f4378397926413f24444972e93edb8975e04d3137912a6851aa2223894e156ad99d1af496bb95a25678ab3417a7a84b59fc2e31d7786333d65ae1a7733731ffcce3e55999ed">

To generate a token, first of all, create a CsrfTokenGenerator. See examples/main.rs.

let generator = Arc::new(CsrfTokenGenerator::new(secret, Duration::hours(1)));

The first argument is a secret value used for encryption of tokens. 32-byte secret length is recommended.

The second argument is the duration in which the token is valid. It must be sufficient length for human clients to fill the form and submit.

For using the token generator in Actix handlers, you have to immutably share the generator between threads. It can be achieved by using lazy_static macro or state of Actix App. In the example, app state is used.

server::new(move || {
    App::with_state(generator.clone())
    /* ... */
})

Just call generate method. You can get a token as a Vec<u8> value. In the form of the example, a hex-encoded is embedded.

let token = hex::encode(&generator.generate());
HttpResponse::Ok()
    .content_type("text/html")
    .body(FORM_TEMPLATE.replace("{{csrf-token}}", &token))

Decode the token given by the client and call verify method.

generator.verify(&token)?;

It returns Result<(), CsrfTokenError>.

Licensed under the MIT License.