nova_csrf_plugin (nova v0.14.3)
View SourceCSRF protection plugin for Nova using the synchronizer token pattern.
Generates a random token per session, stores it server-side, and validates it on state-changing requests (POST, PUT, PATCH, DELETE).
Important:nova_request_plugin must run before this plugin so that form params are parsed into the params key of the request map.
Options
field_name— form field name (default<<"_csrf_token">>)header_name— header name (default<<"x-csrf-token">>)session_key— session storage key (default<<"_csrf_token">>)excluded_paths— list of path prefixes to skip (default[])
Summary
Functions
Plugin info callback.
Post-request callback. Pass-through.
Pre-request callback. On safe methods, ensures a CSRF token exists in the session and injects it into the Req map. On unsafe methods, validates the submitted token against the session token.
Functions
-spec plugin_info() -> #{title := binary(), version := binary(), url := binary(), authors := [binary()], description := binary(), options := [{Key :: atom(), OptionDescription :: binary()}]}.
Plugin info callback.
-spec post_request(Req :: cowboy_req:req(), Env :: any(), Options :: map(), State :: any()) -> {ok, Req0 :: cowboy_req:req(), NewState :: any()}.
Post-request callback. Pass-through.
-spec pre_request(Req :: cowboy_req:req(), Env :: any(), Options :: map(), State :: any()) -> {ok, Req0 :: cowboy_req:req(), NewState :: any()} | {stop, nova_plugin:reply(), Req0 :: cowboy_req:req(), NewState :: any()}.
Pre-request callback. On safe methods, ensures a CSRF token exists in the session and injects it into the Req map. On unsafe methods, validates the submitted token against the session token.