Skip to content

feat: Add CSRF protection for gateway WebSocket#60

Merged
rexlunae merged 6 commits intomainfrom
feat/csrf-protection
Feb 17, 2026
Merged

feat: Add CSRF protection for gateway WebSocket#60
rexlunae merged 6 commits intomainfrom
feat/csrf-protection

Conversation

@rexlunae
Copy link
Copy Markdown
Owner

@rexlunae rexlunae commented Feb 17, 2026

Summary

Adds CSRF token generation and validation for gateway control messages from @aecs4u (PR #21).

Security Purpose

Prevents cross-site WebSocket hijacking attacks where a malicious webpage could:

  • Send control commands to a locally-running gateway
  • Reload configuration with malicious settings
  • Enable elevated mode without user consent

Implementation

CsrfStore (src/gateway/csrf.rs)

  • Issues 32-byte cryptographically random tokens
  • URL-safe base64 encoding
  • Configurable TTL (default: 1 hour)
  • Automatic pruning of expired tokens

Flow

  1. Gateway issues CSRF token in hello frame
  2. TUI/CLI stores token from hello response
  3. Control messages include token
  4. Gateway validates before processing

Usage

use rustyclaw::gateway::csrf::CsrfStore;

let mut store = CsrfStore::default();
let token = store.issue_token();

// Later, validate incoming token
if !store.validate(&incoming_token) {
    return Err("Invalid CSRF token");
}

Tests

  • Token is 32 cryptographically random bytes
  • Fresh tokens validate successfully
  • Expired tokens are rejected

Dependencies

  • rand = "0.9" — Cryptographic RNG

Attribution

Original implementation by @aecs4u

@rexlunae
feat: Add CSRF protection for gateway WebSocket
d4b7a90 
Adds CSRF token generation and validation for gateway control messages
from @aecs4u (PR #21).

## Features

### CsrfStore
In-memory token store with automatic TTL expiry:
- Issues 32-byte cryptographically random tokens (URL-safe base64)
- Configurable TTL (default: 1 hour)
- Automatic pruning of expired tokens
- Thread-safe token validation

### Usage
```rust
use rustyclaw::gateway::csrf::CsrfStore;

let mut store = CsrfStore::default();

// Issue token in hello frame
let token = store.issue_token();

// Validate on control messages
if !store.validate(&token) {
    return Err("Invalid CSRF token");
}
```

### Integration Points
- Gateway issues token in hello frame
- TUI/CLI stores token from hello response
- Control messages (reload, elevated, etc.) include token
- Gateway validates before processing

## Dependencies Added
- `rand = "0.9"` — Cryptographic random number generation

## Tests Included
- Token length verification (32 bytes)
- Fresh token validation
- Expired token rejection

## Attribution
Original implementation by @aecs4u
@rexlunae
Update golden file for new gateway subcommands
1c39208
@rexlunae
Revert golden file to match branch (no install/uninstall/logs)
b9eed23
@rexlunae
Fix rand 0.9 API: use rand::rng().fill() instead of OsRng.fill_bytes()
25ec93b
@rexlunae
Merge branch 'main' into feat/csrf-protection
8442c17
@rexlunae
Remove duplicate rand dependency
815debe
@rexlunae rexlunae merged commit ada6170 into main Feb 17, 2026
10 checks passed
@rexlunae rexlunae deleted the feat/csrf-protection branch February 17, 2026 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rexlunae