View Source CsrfPlus (CsrfPlus v0.2.0)

A CSRF (Cross-Site Request Forgery) protection Plug with accesses storing support.

Summary

Functions

The default max age for a token

Get a token from the connection session if it exists on the store or generate a new one otherwise. This function will try to use the signed token from the header, if it's valid.

Digs into the connection data to make an user access information struct.

Put the token in the header. It uses the conn struct to determine the header name.

Put the token and the given access_id in the session. Uses the conn struct to determine the needed keys.

Put the token in the store. If a conn_to_access function is implemented in the configured store, that function will be called with the given params to generate the CsrfPlus.UserAccess to be put into the store. Also, have a look at CsrfPlus.Store.Behaviour to see more about conn_to_access callback.

Uses the plug configuration to put the token and its signed version into the store, session and x-csrf-token header.

Functions

The default max age for a token

Get a token from the connection session if it exists on the store or generate a new one otherwise. This function will try to use the signed token from the header, if it's valid.

Params

  • conn - the connection struct.

Returns

A tuple with the token and its signed version in the format {token, signed_token}

Digs into the connection data to make an user access information struct.

Link to this function

put_header_token(conn, signed_token)

View Source

Put the token in the header. It uses the conn struct to determine the header name.

Params

  • conn - the connection struct.
  • signed_token - the signed version of the CSRF token.
Link to this function

put_session_token(conn, token, access_id \\ nil)

View Source

Put the token and the given access_id in the session. Uses the conn struct to determine the needed keys.

Params

  • conn - the connection struct.
  • token - the CSRF unsigned token.
  • access_id - the access id. If none is given no access id is put in the session. Defaults to nil.
Link to this function

put_store_token(conn, token, access_id)

View Source

Put the token in the store. If a conn_to_access function is implemented in the configured store, that function will be called with the given params to generate the CsrfPlus.UserAccess to be put into the store. Also, have a look at CsrfPlus.Store.Behaviour to see more about conn_to_access callback.

Params

  • conn - the connection struct.
  • token - the CSRF unsigned token.
  • access_id - the access id. It's required here because a token must be associeted with an identifier.
Link to this function

put_token(conn, opts \\ [])

View Source

Uses the plug configuration to put the token and its signed version into the store, session and x-csrf-token header.

This function uses the functions: put_session_token/3, put_header_token/2 and put_store_token/3 base functions under the hood. So, you can have a look at them for more information about how this function works.

Params

  • conn - The connection struct.
  • opts - The options.

Options

The options is a Keyword with the follwing keys:

  • :access_id - the id of the access. If none is given CsrfPlus will generate one.
  • :token_tuple - a tuple with the token and its signed version in the format {token, signed_token}. This option is required.
  • :exclude - a list of tokens to exclude. A excluded token will not be put into its corresponding store, session or header.

Exclude list

  • :session - do not put the session token.
  • :header - do not put the header token.
  • :store - do not put the store token.