CSRF
Middleware that provides CSRF (Cross-Site Request Forgery) protection.
CsrfStoreprovides access to data.CookieStorewill store data inCookie, and will verify the validity of the request according to thecsrf-tokenandCookievalues submitted by the user. The data is stored in theSession, and the validity of the request is verified with the data submitted by the user and the data in theSession. Note that theSessionStoremust be used with thesessionfunction.Csrfis a structure that implementsHandler, and there is askipperfield inside, which can be specified to skip certain requests that do not require authentication. By default,Method::POST,Method: :PATCH,Method::DELETE,Method::PUTrequests.
Example
Use cookie store
use salvo::csrf::*;
use salvo::prelude::*;
use serde::{Deserialize, Serialize};
#[handler]
pub async fn home(res: &mut Response) {
let html = r#"
<!DOCTYPE html>
<html>
<head><meta charset="UTF-8"><title>Csrf CookieStore</title></head>
<body>
<h2>Csrf Exampe: CookieStore</h2>
<ul>
<li><a href="../bcrypt">Bcrypt</a></li>
<li><a href="../hmac">Hmac</a></li>
<li><a href="../aes_gcm">Aes Gcm</a></li>
<li><a href="../ccp">chacha20poly1305</a></li>
</ul>
</body>"#;
res.render(Text::Html(html));
}
#[handler]
pub async fn get_page(depot: &mut Depot, res: &mut Response) {
let new_token = depot.csrf_token().map(|s| &**s).unwrap_or_default();
res.render(Text::Html(get_page_html(new_token, "")));
}
#[handler]
pub async fn post_page(req: &mut Request, depot: &mut Depot, res: &mut Response) {
#[derive(Deserialize, Serialize, Debug)]
struct Data {
csrf_token: String,
message: String,
}
let data = req.parse_form::<Data>().await.unwrap();
tracing::info!("posted data: {:?}", data);
let new_token = depot.csrf_token().map(|s| &**s).unwrap_or_default();
let html = get_page_html(new_token, &format!("{:#?}", data));
res.render(Text::Html(html));
}
#[tokio::main]
async fn main() {
tracing_subscriber::fmt().init();
let form_finder = FormFinder::new("csrf_token");
let bcrypt_csrf = bcrypt_cookie_csrf(form_finder.clone());
let hmac_csrf = hmac_cookie_csrf(*b"01234567012345670123456701234567", form_finder.clone());
let aes_gcm_cookie_csrf =
aes_gcm_cookie_csrf(*b"01234567012345670123456701234567", form_finder.clone());
let ccp_cookie_csrf =
ccp_cookie_csrf(*b"01234567012345670123456701234567", form_finder.clone());
let router = Router::new()
.get(home)
.push(
Router::with_hoop(bcrypt_csrf)
.path("bcrypt")
.get(get_page)
.post(post_page),
)
.push(
Router::with_hoop(hmac_csrf)
.path("hmac")
.get(get_page)
.post(post_page),
)
.push(
Router::with_hoop(aes_gcm_cookie_csrf)
.path("aes_gcm")
.get(get_page)
.post(post_page),
)
.push(
Router::with_hoop(ccp_cookie_csrf)
.path("ccp")
.get(get_page)
.post(post_page),
);
let acceptor = TcpListener::new("127.0.0.1:7878").bind().await;
Server::new(acceptor).serve(router).await;
}
fn get_page_html(csrf_token: &str, msg: &str) -> String {
format!(
r#"
<!DOCTYPE html>
<html>
<head><meta charset="UTF-8"><title>Csrf Example</title></head>
<body>
<h2>Csrf Exampe: CookieStore</h2>
<ul>
<li><a href="../bcrypt/">Bcrypt</a></li>
<li><a href="../hmac/">Hmac</a></li>
<li><a href="../aes_gcm/">Aes Gcm</a></li>
<li><a href="../ccp/">chacha20poly1305</a></li>
</ul>
<form action="./" method="post">
<input type="hidden" name="csrf_token" value="{}" />
<div>
<label>Message:<input type="text" name="message" /></label>
</div>
<button type="submit">Send</button>
</form>
<pre>{}</pre>
</body>
</html>
"#,
csrf_token, msg
)
}
[package]
name = "example-csrf-cookie-store"
version = "0.1.0"
edition = "2021"
publish = false
[dependencies]
salvo = { workspace = true, features = ["csrf", "jwt-auth"]}
tokio = { version = "1", features = ["macros"] }
tracing = "0.1"
tracing-subscriber = "0.3"
serde = { version = "1", features = ["derive"] }
Use session store
use salvo::csrf::*;
use salvo::prelude::*;
use salvo::session::{MemoryStore, SessionHandler};
use serde::{Deserialize, Serialize};
#[handler]
pub async fn home(res: &mut Response) {
let html = r#"
<!DOCTYPE html>
<html>
<head><meta charset="UTF-8"><title>Csrf SessionStore</title></head>
<body>
<h2>Csrf Exampe: SessionStore</h2>
<ul>
<li><a href="../bcrypt">Bcrypt</a></li>
<li><a href="../hmac">Hmac</a></li>
<li><a href="../aes_gcm">Aes Gcm</a></li>
<li><a href="../ccp">chacha20poly1305</a></li>
</ul>
</body>"#;
res.render(Text::Html(html));
}
#[handler]
pub async fn get_page(depot: &mut Depot, res: &mut Response) {
let new_token = depot.csrf_token().map(|s| &**s).unwrap_or_default();
res.render(Text::Html(get_page_html(new_token, "")));
}
#[handler]
pub async fn post_page(req: &mut Request, depot: &mut Depot, res: &mut Response) {
#[derive(Deserialize, Serialize, Debug)]
struct Data {
csrf_token: String,
message: String,
}
let data = req.parse_form::<Data>().await.unwrap();
tracing::info!("posted data: {:?}", data);
let new_token = depot.csrf_token().map(|s| &**s).unwrap_or_default();
let html = get_page_html(new_token, &format!("{:#?}", data));
res.render(Text::Html(html));
}
#[tokio::main]
async fn main() {
tracing_subscriber::fmt().init();
let form_finder = FormFinder::new("csrf_token");
let bcrypt_csrf = bcrypt_session_csrf(form_finder.clone());
let hmac_csrf = hmac_session_csrf(*b"01234567012345670123456701234567", form_finder.clone());
let aes_gcm_session_csrf =
aes_gcm_session_csrf(*b"01234567012345670123456701234567", form_finder.clone());
let ccp_session_csrf =
ccp_session_csrf(*b"01234567012345670123456701234567", form_finder.clone());
let session_handler = SessionHandler::builder(
MemoryStore::new(),
b"secretabsecretabsecretabsecretabsecretabsecretabsecretabsecretab",
)
.build()
.unwrap();
let router = Router::new()
.get(home)
.hoop(session_handler)
.push(
Router::with_hoop(bcrypt_csrf)
.path("bcrypt")
.get(get_page)
.post(post_page),
)
.push(
Router::with_hoop(hmac_csrf)
.path("hmac")
.get(get_page)
.post(post_page),
)
.push(
Router::with_hoop(aes_gcm_session_csrf)
.path("aes_gcm")
.get(get_page)
.post(post_page),
)
.push(
Router::with_hoop(ccp_session_csrf)
.path("ccp")
.get(get_page)
.post(post_page),
);
let acceptor = TcpListener::new("127.0.0.1:5800").bind().await;
Server::new(acceptor).serve(router).await;
}
fn get_page_html(csrf_token: &str, msg: &str) -> String {
format!(
r#"
<!DOCTYPE html>
<html>
<head><meta charset="UTF-8"><title>Csrf SessionStore</title></head>
<body>
<h2>Csrf Exampe: SessionStore</h2>
<ul>
<li><a href="../bcrypt/">Bcrypt</a></li>
<li><a href="../hmac/">Hmac</a></li>
<li><a href="../aes_gcm/">Aes Gcm</a></li>
<li><a href="../ccp/">chacha20poly1305</a></li>
</ul>
<form action="./" method="post">
<input type="hidden" name="csrf_token" value="{}" />
<div>
<label>Message:<input type="text" name="message" /></label>
</div>
<button type="submit">Send</button>
</form>
<pre>{}</pre>
</body>
</html>
"#,
csrf_token, msg
)
}
[package]
name = "example-csrf-session-store"
version = "0.1.0"
edition = "2021"
publish = false
[dependencies]
salvo = { workspace = true, features = ["csrf", "session"] }
tokio = { version = "1", features = ["macros"] }
tracing = "0.1"
tracing-subscriber = "0.3"
serde = { version = "1", features = ["derive"] }