Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- (defn wrap-anti-forgery
- "Middleware that prevents CSRF attacks. Any POST request to the handler
- returned by this function must contain a valid anti-forgery token, or else an
- access-denied response is returned.
- The anti-forgery token can be placed into a HTML page via the
- *anti-forgery-token* var, which is bound to a random key unique to the
- current session. By default, the token is expected to be in a form field
- named '__anti-forgery-token', or in the 'X-CSRF-Token' or 'X-XSRF-Token'
- headers.
- Accepts the following options:
- :read-token - a function that takes a request and returns an anti-forgery
- token, or nil if the token does not exist
- :error-response - the response to return if the anti-forgery token is
- incorrect or missing
- :error-handler - a handler function to call if the anti-forgery token is
- incorrect or missing.
- Only one of :error-response, :error-handler may be specified."
- ([handler]
- (wrap-anti-forgery handler {}))
- ([handler options]
- {:pre [(not (and (:error-response options) (:error-handler options)))]}
- (let [read-token (:read-token options default-request-token)
- error-handler (make-error-handler options)]
- (fn
- ([request]
- (go-try
- (let [token (find-or-create-token request)]
- (binding [*anti-forgery-token* token]
- (if (valid-request? request read-token)
- (add-session-token (<? (handler request)) request token)
- (error-handler request))))))
- ([request respond raise]
- (go-try
- (let [token (find-or-create-token request)]
- (binding [*anti-forgery-token* token]
- (if (valid-request? request read-token)
- (<? (handler request #(respond (add-session-token % request token)) raise))
- (error-handler request respond raise))))))))))
Add Comment
Please, Sign In to add comment
