Merge pull request #1 from wiseaidev/fix-bugs

fix bugs, bump crates versions, fix base64 warnings

Author: wiseaidev

Cargo.toml

@@ -1,19 +1,19 @@
 [package]
-name = "rocket_csrf"
-version = "0.3.0"
-authors = ["Alex Kotov <kotovalexarian@gmail.com>"]
-edition = "2018"
+name = "rocket_csrf_token"
+version = "0.3.1"
+authors = ["Alex Kotov <kotovalexarian@gmail.com>", "Mahmoud Harmouch <oss@wiseai.dev>"]
+edition = "2021"
 description = "CSRF (Cross-Site Request Forgery) protection for Rocket web framework"
 readme = true
-homepage = "https://github.com/kotovalexarian/rocket_csrf"
-repository = "https://github.com/kotovalexarian/rocket_csrf.git"
+homepage = "https://github.com/wiseaidev/rocket_csrf_token "
+repository = "https://github.com/wiseaidev/rocket_csrf_token .git"
 license = "MIT"
 keywords = ["csrf", "http", "rocket", "security", "web"]
 categories = ["web-programming"]
 publish = true
 
 [dependencies]
-base64 = { version = "0.13.0" }
-bcrypt = { version = "0.9" }
-rand   = { version = "0.8.3" }
-rocket = { version = "0.5.0-rc.2", features = ["secrets"] }
+base64 = "0.21.5"
+bcrypt = "0.15.0"
+rand = "0.8.5"
+rocket = { version = "=0.5.0-rc.3", features = ["secrets"] }

README.md

@@ -1,149 +1,125 @@
-rocket_csrf
-===========
+# rocket_csrf_token
 
-CSRF (Cross-Site Request Forgery) protection for [Rocket](https://rocket.rs)
-web framework.
+A slightly more maintained version of [rocket_csrf](https://github.com/kotovalexarian/rocket_csrf).
 
-> **WARNING!**
-> The implementation is very simple for now and may not be ready for production.
+## Usage
 
-Discussion about CSRF protection in Rocket is
-[here](https://github.com/SergioBenitez/Rocket/issues/14).
-
-
-
-Table of contents
------------------
-
-* [Overview](#rocket_csrf)
-* [Table of contents](#table-of-contents)
-* [Usage](#usage)
-* [TODO](#todo)
-
-
-
-Usage
------
-
-Attach [fairing](https://rocket.rs/v0.5-rc/guide/fairings/#fairings) to the Rocket
-instance:
+Attach [fairing](https://rocket.rs/v0.5-rc/guide/fairings/#fairings) to the Rocket instance:
 
 ```rust
 #![feature(decl_macro)]
 
-#[macro_use] extern crate rocket;
-#[macro_use] extern crate serde_derive;
+#[macro_use]
+extern crate rocket;
+#[macro_use]
+extern crate serde_derive;
 
 use rocket_dyn_templates::Template;
 
 #[launch]
 fn rocket() -> _ {
-    rocket::ignite()
-        .attach(rocket_csrf::Fairing::default())
-        .attach(Template::fairing())
-        .mount("/", routes![new, create])
+    rocket::build()
+    .attach(rocket_csrf_token::Fairing::default())
+    .attach(Template::fairing())
+    .mount("/", routes![new, create])
 }
 ```
 
-You also can configure
-[fairing](https://rocket.rs/v0.5-rc/guide/fairings/#fairings):
+You also can configure [fairing](https://rocket.rs/v0.5-rc/guide/fairings/#fairings):
 
 ```rust
 #[launch]
 fn rocket() -> _ {
-    rocket::ignite()
-        .attach(rocket_csrf::Fairing::new(
-            rocket_csrf::CsrfConfig::default()
-                .with_cookie_name("foobar")
-                .with_cookie_len(64)
-                .with_lifetime(time::Duration::days(3)),
-        ))
-        .attach(Template::fairing())
-        .mount("/", routes![new, create])
+  rocket::build()
+    .attach(
+      rocket_csrf_token::Fairing::new(
+        rocket_csrf_token::CsrfConfig
+          ::default()
+          .with_cookie_name("foobar")
+          .with_cookie_len(64)
+          .with_lifetime(rocket::time::Duration::days(3))
+      )
+    )
+    .attach(Template::fairing())
+    .mount("/", routes![new, create])
 }
 ```
 
-Add [guard](https://rocket.rs/v0.5-rc/guide/requests/#request-guards) to any
-request where you want to have access to session's CSRF token (e.g. to include
-it in forms) or verify it (e.g. to validate form):
+Add [guard](https://rocket.rs/v0.5-rc/guide/requests/#request-guards) to any request where you want to have access to session's CSRF token (e.g. to include it in forms) or verify it (e.g. to validate form):
 
 ```rust
 use rocket::form::Form;
 use rocket::response::Redirect;
-use rocket_csrf::CsrfToken;
+use rocket_csrf_token::CsrfToken;
 use rocket_dyn_templates::Template;
 
 #[get("/comments/new")]
 fn new(csrf_token: CsrfToken) -> Template {
-    // your code
+  // your code
 }
 
 #[post("/comments", data = "<form>")]
 fn create(csrf_token: CsrfToken, form: Form<Comment>) -> Redirect {
-    // your code
+  // your code
 }
 ```
 
-Get CSRF token from
-[guard](https://rocket.rs/v0.5-rc/guide/requests/#request-guards)
-to use it in [templates](https://rocket.rs/v0.5-rc/guide/responses/#templates):
+Get CSRF token from [guard](https://rocket.rs/v0.5-rc/guide/requests/#request-guards) to use it in [templates](https://rocket.rs/v0.5-rc/guide/responses/#templates):
 
 ```rust
 #[get("/comments/new")]
 fn new(csrf_token: CsrfToken) -> Template {
-    let authenticity_token: &str = csrf_token.authenticity_token();
+  let authenticity_token: &str = csrf_token.authenticity_token();
 
-    // your code
+  // your code
 }
 ```
 
-Add CSRF token to your HTML forms in
-[templates](https://rocket.rs/v0.5-rc/guide/responses/#templates):
+Add CSRF token to your HTML forms in [templates](https://rocket.rs/v0.5-rc/guide/responses/#templates):
 
 ```html
 <form method="post" action="/comments">
-    <input type="hidden" name="authenticity_token" value="{{ authenticity_token }}"/>
-    <!-- your fields -->
+  <input
+    type="hidden"
+    name="authenticity_token"
+    value="{{ authenticity_token }}"
+  />
+  <!-- your fields -->
 </form>
 ```
 
-Add attribute `authenticity_token` to your
-[forms](https://rocket.rs/v0.5-rc/guide/requests/#forms):
+Add attribute `authenticity_token` to your [forms](https://rocket.rs/v0.5-rc/guide/requests/#forms):
 
 ```rust
 #[derive(FromForm)]
 struct Comment {
-    authenticity_token: String,
-    // your attributes
+  authenticity_token: String,
+  // your attributes
 }
 ```
 
-Validate [forms](https://rocket.rs/v0.5-rc/guide/requests/#forms) to have valid
-authenticity token:
+Validate [forms](https://rocket.rs/v0.5-rc/guide/requests/#forms) to have valid authenticity token:
 
 ```rust
 #[post("/comments", data = "<form>")]
 fn create(csrf_token: CsrfToken, form: Form<Comment>) -> Redirect {
-    if let Err(_) = csrf_token.verify(&form.authenticity_token) {
-        return Redirect::to(uri!(new));
-    }
+  if let Err(_) = csrf_token.verify(&form.authenticity_token) {
+    return Redirect::to(uri!(new));
+  }
 
-    // your code
+  // your code
 }
 ```
 
 See the complete code in [minimal example](examples/minimal).
 
+## TODO
 
-
-TODO
-----
-
-* [ ] Add fairing to verify all requests as an option.
-* [ ] Add [data guard](https://api.rocket.rs/v0.5-rc/rocket/data/trait.FromData.html) to verify forms with a guard.
-* [ ] Add helpers to render form field.
-* [ ] Add helpers to add HTML meta tags for Ajax with `X-CSRF-Token` header.
-* [ ] Verify `X-CSRF-Token` header.
-* [ ] Use authenticity token encryption from [Ruby on Rails](https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_controller/metal/request_forgery_protection.rb).
-* [ ] Allow to configure CSRF protection (CSRF token byte length, cookie name, etc.).
-* [ ] Set cookie to expire with session.
+- [ ] Add fairing to verify all requests as an option.
+- [ ] Add [data guard](https://api.rocket.rs/v0.5-rc/rocket/data/trait.FromData.html) to verify forms with a guard.
+- [ ] Add helpers to render form field.
+- [ ] Add helpers to add HTML meta tags for Ajax with `X-CSRF-Token` header.
+- [ ] Verify `X-CSRF-Token` header.
+- [ ] Use authenticity token encryption from [Ruby on Rails](https://github.com/rails/rails/blob/v6.0.3.4/actionpack/lib/action_controller/metal/request_forgery_protection.rb).
+- [ ] Allow to configure CSRF protection (CSRF token byte length, cookie name, etc.).
+- [ ] Set cookie to expire with session.

src/lib.rs

@@ -1,3 +1,4 @@
+use base64::{engine::general_purpose, Engine as _};
 use bcrypt::{hash, verify};
 use rand::{distributions::Standard, Rng};
 use rocket::{
@@ -42,9 +43,9 @@ impl Default for Fairing {
 }
 
 impl Default for CsrfConfig {
+    /// Set to 6hour for default in Database Session stores.
     fn default() -> Self {
         Self {
-            /// Set to 6hour for default in Database Session stores.
             lifespan: Duration::days(1),
             cookie_name: "csrf_token".into(),
             cookie_len: 32,
@@ -120,7 +121,7 @@ impl RocketFairing for Fairing {
             .take(config.cookie_len)
             .collect();
 
-        let encoded = base64::encode(&values[..]);
+        let encoded = general_purpose::STANDARD.encode(&values[..]);
 
         let expires = OffsetDateTime::now_utc() + config.lifespan;
 
@@ -141,7 +142,18 @@ impl<'r> FromRequest<'r> for CsrfToken {
 
         match request.valid_csrf_token_from_session(&config) {
             None => Outcome::Failure((Status::Forbidden, ())),
-            Some(token) => Outcome::Success(Self(base64::encode(token))),
+            Some(token) => Outcome::Success(Self(general_purpose::STANDARD.encode(token))),
+        }
+    }
+}
+
+#[async_trait]
+impl RocketFairing for CsrfToken {
+    // This is a request fairing named "GET CsrfToken".
+    fn info(&self) -> Info {
+        Info {
+            name: "GET/POST Counter",
+            kind: Kind::Request,
         }
     }
 }
@@ -164,6 +176,6 @@ impl RequestCsrf for Request<'_> {
     fn csrf_token_from_session(&self, config: &CsrfConfig) -> Option<Vec<u8>> {
         self.cookies()
             .get_private(&config.cookie_name)
-            .and_then(|cookie| base64::decode(cookie.value()).ok())
+            .and_then(|cookie| general_purpose::STANDARD.decode(cookie.value()).ok())
     }
 }

tests/fairing_configured.rs

@@ -1,6 +1,7 @@
 #[macro_use]
 extern crate rocket;
 
+use base64::{engine::general_purpose, Engine as _};
 const COOKIE_NAME: &str = "foobar";
 const COOKIE_LEN: usize = 64;
 
@@ -10,8 +11,8 @@ fn client() -> rocket::local::blocking::Client {
 
 fn rocket() -> rocket::Rocket<rocket::Build> {
     rocket::build()
-        .attach(rocket_csrf::Fairing::new(
-            rocket_csrf::CsrfConfig::default()
+        .attach(rocket_csrf_token::Fairing::new(
+            rocket_csrf_token::CsrfConfig::default()
                 .with_cookie_name(COOKIE_NAME)
                 .with_cookie_len(COOKIE_LEN)
                 .with_lifetime(rocket::time::Duration::days(3)),
@@ -24,15 +25,16 @@ fn index() {}
 
 #[test]
 fn add_csrf_token_to_cookies() {
-    base64::decode(
-        client()
-            .get("/")
-            .dispatch()
-            .cookies()
-            .iter()
-            .find(|cookie| cookie.name() == COOKIE_NAME)
-            .unwrap()
-            .value(),
-    )
-    .unwrap();
+    general_purpose::STANDARD
+        .decode(
+            client()
+                .get("/")
+                .dispatch()
+                .cookies()
+                .iter()
+                .find(|cookie| cookie.name() == COOKIE_NAME)
+                .unwrap()
+                .value(),
+        )
+        .unwrap();
 }

tests/fairing_default.rs

@@ -1,13 +1,14 @@
 #[macro_use]
 extern crate rocket;
 
+use base64::{engine::general_purpose, Engine as _};
 fn client() -> rocket::local::blocking::Client {
     rocket::local::blocking::Client::tracked(rocket()).unwrap()
 }
 
 fn rocket() -> rocket::Rocket<rocket::Build> {
     rocket::build()
-        .attach(rocket_csrf::Fairing::default())
+        .attach(rocket_csrf_token::Fairing::default())
         .mount("/", routes![index])
 }
 
@@ -16,15 +17,16 @@ fn index() {}
 
 #[test]
 fn add_csrf_token_to_cookies() {
-    base64::decode(
-        client()
-            .get("/")
-            .dispatch()
-            .cookies()
-            .iter()
-            .find(|cookie| cookie.name() == "csrf_token")
-            .unwrap()
-            .value(),
-    )
-    .unwrap();
+    general_purpose::STANDARD
+        .decode(
+            client()
+                .get("/")
+                .dispatch()
+                .cookies()
+                .iter()
+                .find(|cookie| cookie.name() == "csrf_token")
+                .unwrap()
+                .value(),
+        )
+        .unwrap();
 }