Replace custom csrf with ring-anti-forgery - Githubissues

hoplon / castra

HTTP remote procedure call handler for Clojure.

172 stars 25 forks source link

Replace custom csrf with ring-anti-forgery #7

Closed mynomoto closed 10 years ago

mynomoto commented 10 years ago

It's a breaking change. It won't work without wrap-anti-forgery
A custom error-handler is necessary as the default response from ring-anti-forgery don't send a X-CSRF-Token header. Example:

(defn custom-error-handler [request]
  {:status 403
   :headers {"Content-Type" "text/html"
             "X-CSRF-Token" *anti-forgery-token*}
   :body "<h1>Missing anti-forgery token</h1>"})

(wrap-anti-forgery {:error-handler custom-error-handler})

Some modifications were necessary because the default response is not from castra. So no error handling on the client. I used the response status.

micha commented 10 years ago

This issue has been handled by changing the CSRF header name in a29d278fff207a8860e51e1f90b6329abf75fcca.