Merge pull request #5 from wiseaidev/csrf-header-lifespan-patch

Csrf header lifespan patch

Author: wiseaidev

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rocket_csrf_token"
-version = "0.3.2"
+version = "0.3.3"
 authors = ["Alex Kotov <[email protected]>", "Mahmoud Harmouch <[email protected]>"]
 edition = "2021"
 description = "CSRF (Cross-Site Request Forgery) protection for Rocket web framework"

README.md

@@ -37,7 +37,7 @@ fn rocket() -> _ {
           ::default()
           .with_cookie_name("foobar")
           .with_cookie_len(64)
-          .with_lifetime(rocket::time::Duration::days(3))
+          .with_lifetime(Some(rocket::time::Duration::days(3)))
       )
     )
     .attach(Template::fairing())
@@ -115,9 +115,9 @@ See the complete code in [minimal example](examples/minimal).
 
 ## TODO
 
-- [X] Add fairing to verify all requests as an option (Requires unit tests).
-- [X] Verify `X-CSRF-Token` header (Requires unit tests).
-- [X] Set cookie to expire with session (Requires unit tests).
+- [X] Add fairing to verify all requests as an option.
+- [X] Verify `X-CSRF-Token` header.
+- [X] Set cookie to expire with session.
 - [ ] Add [data guard](https://api.rocket.rs/v0.5-rc/rocket/data/trait.FromData.html) to verify forms with a guard.
 - [ ] Add helpers to render form field.
 - [ ] Add helpers to add HTML meta tags for Ajax with `X-CSRF-Token` header (WIP).

examples/minimal/.env

@@ -0,0 +1,2 @@
+ROCKET_LOG_LEVEL=debug # one of `critical`, `normal`, `debug`, `off`
+ROCKET_SECRET_KEY=b28ad40f62b3ba9a7b2c114a483383583d460ddc914dbc3f4238a7419e1805f2a4a8412dd27254d7a321da49

examples/minimal/Cargo.lock

@@ -6,6 +6,7 @@ edition = "2021"
 publish = false
 
 [dependencies]
+dotenv = "0.15.0"
 rocket = "=0.5.0-rc.3"
 rocket_csrf_token = { path = "../.." }
 rocket_dyn_templates = { version = "0.1.0-rc.3", features = ["handlebars"] }

examples/minimal/Cargo.toml

@@ -14,19 +14,31 @@
 
 ![App Demo](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/lcpfehq4rsjpwrjjehvr.png)
 
+The cookie's expiration coincides with the end of the user's session. This alignment occurs because the token's lifespan is deliberately configured as `None`. By setting the lifespan to `None`, the token implicitly adopts the same lifespan as the session, which is the default behavior. This means that when the user's session ends, the token, being closely tied to it, also expires. This mechanism ensures that the token remains valid and active only as long as the session itself, enhancing security and reliability.
+
+![Session Cookie](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/nbrd2kxsm91kuvtdm240.png)
+
 ## 🔒 CSRF Protection
 
 This project incorporates robust CSRF protection mechanisms. CSRF attacks occur when unauthorized requests are made on behalf of a user without their consent. Rocket's CSRF protection ensures that form submissions contain a valid CSRF token, significantly enhancing the security of your web forms. 🌐
 
 ## 🧪 Testing CSRF Protection
 
-To test the CSRF protection, you can use the following `curl` command:
+To rigorously assess the effectiveness of your Cross-Site Request Forgery (CSRF) protection mechanisms, you can employ the following `curl` command:
+
+```bash
+curl -X POST -d "authenticity_token=invalid" -d "text=sus" http://127.0.0.1:8000/comments
+```
+
+When executing this command, you should anticipate receiving a "403 Forbidden: Unauthorized Access" response from your Rocket application. Concurrently, the application will raise an error message stating "Error: Request lacks X-CSRF-Token." This outcome is a direct consequence of the provided `authenticity_token` being invalid. Furthermore, the request fails to include the essential `X-CSRF-Token` header. Subsequently, the CSRF token validation mechanism within your application rightfully rejects the request.
+
+To further evaluate your CSRF defenses, you can simulate a scenario where the `X-CSRF-Token` header is explicitly set as follows:
 
 ```bash
-curl -X POST -d "authenticity_token=invalid&text=sus" http://127.0.0.1:8000/comments
+curl -X POST  -H "X-CSRF-Token: invalid" -d "authenticity_token=invalid" -d "text=sus" http://127.0.0.1:8000/comments
 ```
 
-Running this command will result in a "403 Forbidden: Unauthorized Access" response. This occurs because the provided `authenticity_token` is invalid, and the CSRF token validation in the application rightfully rejects the request.
+In this scenario, the Rocket application will respond by displaying the error message "Error: CSRF token verification failed!" This time, both the provided `authenticity_token` and the supplied `X-CSRF-Token` header are determined to be invalid, resulting in a test of your CSRF protection.
 
 ## ✅ Successful POST Request
 

examples/minimal/README.md

@@ -5,6 +5,7 @@ extern crate rocket;
 #[macro_use]
 extern crate serde_derive;
 
+use dotenv;
 use rocket::form::Form;
 use rocket::request::{FlashMessage, FromRequest};
 use rocket::response::{Flash, Redirect};
@@ -37,13 +38,20 @@ impl<'r> FromRequest<'r> for Authenticated {
     }
 }
 
-#[launch]
-fn rocket() -> _ {
+#[rocket::main]
+async fn main() -> Result<(), rocket::Error> {
+    dotenv::dotenv().ok();
     rocket::build()
-        .attach(rocket_csrf_token::Fairing::default())
+        .attach(rocket_csrf_token::Fairing::new(
+            rocket_csrf_token::CsrfConfig::default().with_lifetime(None),
+        ))
         .attach(Template::fairing())
         .register("/", catchers![not_authorized])
         .mount("/", routes![index, new, create])
+        .launch()
+        .await
+        .expect("Launch Error");
+    Ok(())
 }
 
 #[get("/")]