CSRF middleware

[rambocoder]

Vladimir, do you know if somebody created a CSRF prevention middleware for Cowboy?

[dvv]

I don't. But it should be fairly possible to spawn one based on cookie session invented here. What to read on the theme?

[rambocoder]

I tired implementing a CSRF middleware using your cowboy_session https://github.com/rambocoder/stable/commit/b26980d292ac42aadfe9921a961436e28cdbb693 however, the catch is that I need to read POST["_csrf"] and I do that using cowboy_req:body_qs/1 in the middleware module, however in the page handler, I tried to read the other body values again and cowboy_req:body_qs/1 becomes useless, since Cowboy only allows you to read body_qs once :(

The fact that body_qs can be read only once, and that there is no way to pass additional data from middleware to handler's in a clean way, it just makes sense to not have CSRF as middleware but to implement it in specific handlers.

[dvv]

https://github.com/extend/cowboy/issues/502 I believe you should store read body in request meta. Or, we might want to create a body parser middleware, put it before csrf one and make next layers not operate on body directly.

[rambocoder]

If we have middleware that will parse the body, how could we passed the body information to the next middleware or to the handler? Using request meta?

[dvv]

I base on the point that security is unsured by passing CSRF in secure encrypted cookie so that it can't be snooped. If we change CSRF in session every time, it is not guessable outside and we can pass token via querystring. Of course, someone more involved in the theme is welcome to judge.

[essen]

@rambocoder Sorry to hijack this, but you sent me an email, I sent you a reply, and your ClamAV seems to reject all my emails to you.

[dvv]

FYI angular.js technique: http://docs.angularjs.org/api/ng.$http#jsonp