Skip to main content

Surf

Basic CSRF protection middleware for Ambiorix

When a request comes in (it ignores GET, HEAD, and OPTIONS) it checks for the presence of a token. It looks for said token in the following places, in that order:

  • _csrf in the body of the response (e.g.: what was POSTed, see form example below), both JSON and multipart.
  • The query for _csrf value (?_csrf=token)
  • Header csrf-token
  • Header xsrf-token
  • Header x-csrf-token
  • Header x-xsrf-token

Where you need this token it can be retrieved with req$csrf_token.

Installation

# install.packages("remotes")
remotes::install_github("surf")

Example

Valid

library(surf)
library(ambiorix)

app <- Ambiorix$new()

# use the middleware
app$use(surf())

app$get("/", \(req, res){
res$sendf(
"<h1>What's your name?</h1>
<form action='/' method='POST' enctype='multipart/form-data'>
<input type='hidden' name='_csrf' value='%s' />
<input type='text' name='name' />
<input type='submit' value='send'/>
</form>",
req$csrf_token() # get token
)
})

app$post("/", \(req, res) {
body <- req$parse_multipart()
res$sendf("Hi %s", body$name)
})

app$start()

Invalid

library(surf)
library(ambiorix)

app <- Ambiorix$new()

# use the middleware
app$use(surf())

app$get("/", \(req, res){
# missing CSRF token
res$send(
"<h1>What's your name?</h1>
<form action='/' method='POST' enctype='multipart/form-data'>
<input type='text' name='name' />
<input type='submit' value='send'/>
</form>"
)
})

app$post("/", \(req, res) {
body <- req$parse_multipart()
res$sendf("Hi %s", body$name)
})

app$start()