mirror of https://github.com/edward-shen/actix-csrf synced 2026-05-16 08:54:08 +09:00

No description

Rust 100%

Find a file

Edward Shen 86490481f6 Update changelog		2024-11-24 13:29:13 -08:00
.github/workflows	Make sure to compile examples in CI	2024-11-19 16:30:39 +01:00
examples	Fix typos in comments and documentation	2024-11-24 12:16:25 +01:00
src	Fix typos in comments and documentation	2024-11-24 12:16:25 +01:00
tests	Add tests for actix-multipart feature	2024-11-17 11:40:05 +01:00
.gitignore	Remove Cargo.lock	2022-04-03 14:41:43 -07:00
Cargo.toml	Remove actix-multipart from dev dependencies	2024-11-19 16:49:21 +01:00
CHANGELOG.md	Update changelog	2024-11-24 13:29:13 -08:00
clippy.toml	Set MSRV to 1.71 as requested in edward-shen/actix-csrf#14	2024-11-15 17:34:43 +01:00
LICENSE-APACHE	Update readme	2021-08-19 00:33:29 -04:00
LICENSE-MIT	Update readme	2021-08-19 00:33:29 -04:00
README.md	Update readme and changelog to reflect msrv updates	2024-11-16 23:05:32 -08:00

README.md

actix-csrf

CSRF middleware for actix-web 4.3.1 or newer that uses the Double-Submit Token pattern.

This crate has not yet been audited. Use in production at your own risk.

Usage

Installing the middleware is standard: Specify a cryptographically secure RNG to use, and declare which paths should set a CSRF cookie and when should validate a CSRF cookie.

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        let csrf = Csrf::<StdRng>::new()
            .set_cookie(Method::GET, "/login");
        App::new().wrap(csrf).service(login_ui).service(login)
    })
    .bind(("127.0.0.1", 8080))?
    .run()
    .await
}

Then, use the CsrfCookie extractor to pull the CSRF cookie and validate it with a CSRF token provided as part of the protected request.

#[derive(Deserialize)]
struct LoginForm {
    csrf_token: CsrfToken,
    username: String,
    password: String,
}

impl CsrfGuarded for LoginForm {
    fn csrf_token(&self) -> &CsrfToken {
        &self.csrf_token
    }
}

/// Validates a login form that has a CSRF token.
#[post("/login")]
async fn login(form: Csrf<Form<LoginForm>>) -> impl Responder {
    // At this point, we have a valid CSRF token, so we can treat the request
    // as legitimate.

    HttpResponse::Ok().finish()
}

This is only one of many ways to use the Double-Submit Token pattern; see the docs and examples for more information.

Security Considerations

There are advantages and limitations to using the Double Submit Token pattern. Users are highly recommended to read the Owasp article on CSRF Protection before using this middleware.

This crate attempts to have secure defaults, and users must explicitly disable defense-in-depth features.

MSRV Changes

Changes to the Minimum Supported Rust Version (MSRV) will not be considered a breaking change. In pre-1.0 versions, changes to MSRV may occur in any update (e.g. 0.8.0 to 0.8.1), while after 1.0, changes to MSRV may appear as a minor or major update.

License

Licensed under either of

Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.