packages feed

dsc 0.1.2 → 0.1.3

raw patch · 3 files changed

+25/−14 lines, 3 filesPVP: major bump suggested

API removals or changes: PVP suggests a major version bump

API changes (from Hackage documentation)

- Web.Csrf: getCsrf :: Key -> IO Csrf
+ Web.Csrf: getCsrf :: ByteString -> IO Csrf
- Web.Csrf: mkCsrf :: Key -> ByteString -> ByteString -> Csrf
+ Web.Csrf: mkCsrf :: ByteString -> ByteString -> ByteString -> Csrf
- Web.Csrf: runCheck :: Key -> Csrf -> Csrf
+ Web.Csrf: runCheck :: ByteString -> Csrf -> Csrf

Files

dsc.cabal view
@@ -3,7 +3,7 @@ -- see: https://github.com/sol/hpack  name:                dsc-version:             0.1.2+version:             0.1.3 synopsis:            Helper functions for setting up Double Submit Cookie defense for forms description:         See README at <https://github.com/qoelet/dsc#readme> homepage:            https://github.com/qoelet/dsc#readme
src/Web/Csrf.hs view
@@ -9,7 +9,7 @@  import           Codec.Crypto.SimpleAES import           Data.ByteString-import           Data.ByteString.Base64+import           Data.ByteString.Base64.URL import           Data.String.Conversions  newtype Token = MkToken ByteString@@ -24,9 +24,13 @@ , validationResult :: Maybe CsrfCheckResult } deriving (Eq, Show) -runCheck :: Key -> Csrf -> Csrf-runCheck key csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }+runCheck :: ByteString -> Csrf -> Csrf+runCheck keyBS csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }   where+    key :: ByteString+    key = decodeLenient keyBS++    result :: CsrfCheckResult     result = case (decode c, decode t) of       (Right c', Right t') ->         if decryptMsg ECB key (cs c') == decryptMsg ECB key (cs t')@@ -34,15 +38,22 @@           else Invalid       _ -> Invalid -getCsrf :: Key -> IO Csrf+getCsrf :: ByteString -> IO Csrf getCsrf key = do   secret <- randomKey-  c <- encryptMsg ECB key (cs secret)-  t <- encryptMsg ECB key (cs secret)-  return $ Csrf (MkToken (encode . cs $ c)) (MkToken (encode . cs $ t)) Nothing+  c <- encryptMsg ECB (decodeLenient key) (cs secret)+  t <- encryptMsg ECB (decodeLenient key) (cs secret)+  return $ Csrf+    (MkToken (encode . cs $ c))+    (MkToken (encode . cs $ t))+    Nothing -mkCsrf :: Key -> ByteString -> ByteString -> Csrf-mkCsrf key c t = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)+mkCsrf :: ByteString -> ByteString -> ByteString -> Csrf+mkCsrf keyBS c t+  = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)+  where+    key :: ByteString+    key = decodeLenient keyBS  unMkToken :: Token -> ByteString unMkToken (MkToken x) = x
test/CsrfSpec.hs view
@@ -3,7 +3,7 @@ module CsrfSpec where  import           Codec.Crypto.SimpleAES-import           Data.ByteString.Base64+import           Data.ByteString.Base64.URL import           Data.String.Conversions import           Test.Hspec import           Test.QuickCheck@@ -23,8 +23,8 @@ propGetCsrfShouldAlwaysBeValid :: Property propGetCsrfShouldAlwaysBeValid = Q.monadicIO $ do   testKey <- Q.run randomKey-  myCsrf <- Q.run (getCsrf testKey)-  Q.assert $ validationResult (runCheck testKey myCsrf) == Just Valid+  myCsrf <- Q.run (getCsrf (encode testKey))+  Q.assert $ validationResult (runCheck (encode testKey) myCsrf) == Just Valid  propTokenMisMatchShouldBeInvalid :: Property propTokenMisMatchShouldBeInvalid = Q.monadicIO $ do@@ -33,4 +33,4 @@   cookieToken <- Q.run $ encryptMsg ECB testKey (cs secret)   let badToken = "Foo"       myCsrf = mkCsrf testKey (encode . cs $ cookieToken) badToken-  Q.assert $ validationResult (runCheck testKey myCsrf) == Just Invalid+  Q.assert $ validationResult (runCheck (encode testKey) myCsrf) == Just Invalid