Skip to content

Commit 63b2044

Browse files
ptaoussanisptaoussanis
committed
[new] [#467] Allow :csrf-token-fn to return :sente/skip-CSRF-check 
1 parent d02ce20 commit 63b2044

File tree

1 file changed

+18
-15
lines changed

1 file changed

+18
-15
lines changed

src/taoensso/sente.cljc

Lines changed: 18 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -383,9 +383,10 @@
383383
:allowed-origins ; e.g. #{\"http://site.com\" ...}, defaults to :all. ; Alpha
384384
385385
:csrf-token-fn ; ?(fn [ring-req]) -> CSRF-token for Ajax POSTs and WS handshake.
386-
; nil => CSRF check will be DISABLED (can pose a *CSRF SECURITY RISK*
387-
; for website use cases, so please ONLY disable this check if you're
388-
; very sure you understand the implications!).
386+
; nil fn or `:sente/skip-CSRF-check` return val => CSRF check will be
387+
; SKIPPED (can pose a *CSRF SECURITY RISK* for website use cases, so
388+
; please ONLY do this check if you're very sure you understand the
389+
; security implications!).
389390
390391
:authorized?-fn ; ?(fn [ring-req]) -> When non-nil, (authorized?-fn <ring-req>)
391392
; must return truthy, otherwise connection requests will be
@@ -635,19 +636,21 @@
635636

636637
bad-csrf?
637638
(fn [ring-req]
638-
(if (nil? csrf-token-fn) ; Provides a way to disable CSRF check
639-
false
639+
(if (nil? csrf-token-fn)
640+
false ; Pass (skip check)
640641
(if-let [reference-csrf-token (csrf-token-fn ring-req)]
641-
(let [csrf-token-from-client
642-
(or
643-
(get-in ring-req [:params :csrf-token])
644-
(get-in ring-req [:headers "x-csrf-token"])
645-
(get-in ring-req [:headers "x-xsrf-token"]))]
646-
647-
(not
648-
(enc/const-str=
649-
reference-csrf-token
650-
csrf-token-from-client)))
642+
(if (= reference-csrf-token :sente/skip-CSRF-check)
643+
false ; Pass (skip check)
644+
(let [csrf-token-from-client
645+
(or
646+
(get-in ring-req [:params :csrf-token])
647+
(get-in ring-req [:headers "x-csrf-token"])
648+
(get-in ring-req [:headers "x-xsrf-token"]))]
649+
650+
(not
651+
(enc/const-str=
652+
reference-csrf-token
653+
csrf-token-from-client))))
651654

652655
true ; By default fail if no CSRF token
653656
)))

0 commit comments

Comments
 (0)