dsc 0.1.2 → 0.1.3
raw patch · 3 files changed
+25/−14 lines, 3 filesPVP: major bump suggested
API removals or changes: PVP suggests a major version bump
API changes (from Hackage documentation)
- Web.Csrf: getCsrf :: Key -> IO Csrf
+ Web.Csrf: getCsrf :: ByteString -> IO Csrf
- Web.Csrf: mkCsrf :: Key -> ByteString -> ByteString -> Csrf
+ Web.Csrf: mkCsrf :: ByteString -> ByteString -> ByteString -> Csrf
- Web.Csrf: runCheck :: Key -> Csrf -> Csrf
+ Web.Csrf: runCheck :: ByteString -> Csrf -> Csrf
Files
- dsc.cabal +1/−1
- src/Web/Csrf.hs +20/−9
- test/CsrfSpec.hs +4/−4
dsc.cabal view
@@ -3,7 +3,7 @@ -- see: https://github.com/sol/hpack name: dsc-version: 0.1.2+version: 0.1.3 synopsis: Helper functions for setting up Double Submit Cookie defense for forms description: See README at <https://github.com/qoelet/dsc#readme> homepage: https://github.com/qoelet/dsc#readme
src/Web/Csrf.hs view
@@ -9,7 +9,7 @@ import Codec.Crypto.SimpleAES import Data.ByteString-import Data.ByteString.Base64+import Data.ByteString.Base64.URL import Data.String.Conversions newtype Token = MkToken ByteString@@ -24,9 +24,13 @@ , validationResult :: Maybe CsrfCheckResult } deriving (Eq, Show) -runCheck :: Key -> Csrf -> Csrf-runCheck key csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }+runCheck :: ByteString -> Csrf -> Csrf+runCheck keyBS csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result } where+ key :: ByteString+ key = decodeLenient keyBS++ result :: CsrfCheckResult result = case (decode c, decode t) of (Right c', Right t') -> if decryptMsg ECB key (cs c') == decryptMsg ECB key (cs t')@@ -34,15 +38,22 @@ else Invalid _ -> Invalid -getCsrf :: Key -> IO Csrf+getCsrf :: ByteString -> IO Csrf getCsrf key = do secret <- randomKey- c <- encryptMsg ECB key (cs secret)- t <- encryptMsg ECB key (cs secret)- return $ Csrf (MkToken (encode . cs $ c)) (MkToken (encode . cs $ t)) Nothing+ c <- encryptMsg ECB (decodeLenient key) (cs secret)+ t <- encryptMsg ECB (decodeLenient key) (cs secret)+ return $ Csrf+ (MkToken (encode . cs $ c))+ (MkToken (encode . cs $ t))+ Nothing -mkCsrf :: Key -> ByteString -> ByteString -> Csrf-mkCsrf key c t = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)+mkCsrf :: ByteString -> ByteString -> ByteString -> Csrf+mkCsrf keyBS c t+ = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)+ where+ key :: ByteString+ key = decodeLenient keyBS unMkToken :: Token -> ByteString unMkToken (MkToken x) = x
test/CsrfSpec.hs view
@@ -3,7 +3,7 @@ module CsrfSpec where import Codec.Crypto.SimpleAES-import Data.ByteString.Base64+import Data.ByteString.Base64.URL import Data.String.Conversions import Test.Hspec import Test.QuickCheck@@ -23,8 +23,8 @@ propGetCsrfShouldAlwaysBeValid :: Property propGetCsrfShouldAlwaysBeValid = Q.monadicIO $ do testKey <- Q.run randomKey- myCsrf <- Q.run (getCsrf testKey)- Q.assert $ validationResult (runCheck testKey myCsrf) == Just Valid+ myCsrf <- Q.run (getCsrf (encode testKey))+ Q.assert $ validationResult (runCheck (encode testKey) myCsrf) == Just Valid propTokenMisMatchShouldBeInvalid :: Property propTokenMisMatchShouldBeInvalid = Q.monadicIO $ do@@ -33,4 +33,4 @@ cookieToken <- Q.run $ encryptMsg ECB testKey (cs secret) let badToken = "Foo" myCsrf = mkCsrf testKey (encode . cs $ cookieToken) badToken- Q.assert $ validationResult (runCheck testKey myCsrf) == Just Invalid+ Q.assert $ validationResult (runCheck (encode testKey) myCsrf) == Just Invalid