This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2019-01-16
Channels
- # announcements (2)
- # beginners (50)
- # boot (80)
- # calva (4)
- # cider (58)
- # cljs-dev (11)
- # clojure (140)
- # clojure-brasil (1)
- # clojure-denver (1)
- # clojure-dev (10)
- # clojure-europe (8)
- # clojure-finland (2)
- # clojure-italy (5)
- # clojure-nl (2)
- # clojure-quebec (1)
- # clojure-spec (2)
- # clojure-sweden (4)
- # clojure-uk (94)
- # clojurescript (98)
- # cursive (19)
- # data-science (1)
- # datascript (9)
- # datomic (43)
- # emacs (2)
- # fulcro (29)
- # graphql (41)
- # hoplon (15)
- # jobs (2)
- # kaocha (4)
- # liberator (24)
- # off-topic (9)
- # perun (1)
- # re-frame (11)
- # reagent (17)
- # reitit (8)
- # remote-jobs (2)
- # rum (2)
- # shadow-cljs (24)
- # spacemacs (1)
- # specter (1)
- # tools-deps (21)
Hi everyone. Having trouble figuring out how to get ring-anti-forgery
to work on client side JS forms. It seems like the client side JS process doesn't have access to the server vars, so I can't simply add a hidden field with *anti-forgery-token*
as the value. Given that index.html
is retrieved only once, I assume this isn't the CSRF token that is used for the lifetime of the browser process. I can't be the only one facing this; but I can't find anything. Does every request to the server have to also update the client-side CSRF token? That seems crazy...
Does ring-anti-forgery
do session-level CSRF?
I haven't gone into the code, but its mention of "synchronizer pattern" implies (to me) request-level tokens.
I'm really wrong. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Synchronizer_Token_Pattern
Session-level it is. Seems insecure to me, but I don't do infosec.
So I get it from index.html
, presumably in the header, and use that to seed the initial re-frame state (using re-frame in my app).
The only issue is that I have to treat every GET
of index.html
as a new session. But to Ring, there is no session, unless each HTTP request from reagent/re-frame sets the session ID in the header, perhaps by cookie. So these are anon GET
s. How do I ensure Ring forces a new CSRF token on the server side with each index.html
GET
?
OK, n/m. My paranoia is satisfied. https://github.com/ring-clojure/ring/wiki/Sessions
If a cookie is never set, each HTTP request belongs to a new session.
It raises the question of how to make reagent/re-frame set the cookie on login, but that's later.
Thanks!
Wow @me1238 that answers my question as well - I always thought CSRF tokens were request level. Thanks!
@orestis They can be. If using Ring, just swap out the strategy. But out of the box they're not.
It seems like the best way is to - within re-frame's main
before the main-panel
render - do a GET request to an /api/init
route handler, which will include the token in the response header. https://github.com/Day8/re-frame/wiki/Bootstrap-An-Application This has the added benefit of supporting session resumption, which is typically what one would want.
It looks like Chestnut generates a template for core.cljs
with a render
function that does a dispatch-sync
with the :initialize-db
event, which would be where all this goes.
Sorry, this is getting really re-frame specific. Will move.