Open
Description
Is there an existing feature request for this?
- I have searched the existing feature requests
Is your feature request related to a problem? Please describe.
Can we encode and decode CSRF tokens in a URL-safe Base64 format for use as the state parameter in OAuth authentication?
Looking at the library, CSRF tokens consistently appear to follow the base64.StdEncoding format.
// requestToken returns the issued token (pad + masked token) from the HTTP POST
// body or HTTP header. It will return nil if the token fails to decode.
func (cs *csrf) requestToken(r *http.Request) ([]byte, error) {
// 1. Check the HTTP header first.
issued := r.Header.Get(cs.opts.RequestHeader)
// 2. Fall back to the POST (form) value.
if issued == "" {
issued = r.PostFormValue(cs.opts.FieldName)
}
// 3. Finally, fall back to the multipart form (if set).
if issued == "" && r.MultipartForm != nil {
vals := r.MultipartForm.Value[cs.opts.FieldName]
if len(vals) > 0 {
issued = vals[0]
}
}
// Return nil (equivalent to empty byte slice) if no token was found
if issued == "" {
return nil, nil
}
// Decode the "issued" (pad + masked) token sent in the request. Return a
// nil byte slice on a decoding error (this will fail upstream).
decoded, err := base64.StdEncoding.DecodeString(issued)
if err != nil {
return nil, err
}
return decoded, nil
}Describe the solution that you would like.
I would like to have an option that supports URL-safe Base64 Encoding and Decoding for CSRF tokens.
Describe alternatives you have considered.
No response
Anything else?
No response
Metadata
Metadata
Assignees
Labels
No labels