dsc (empty) → 0.1.0
raw patch · 6 files changed
+170/−0 lines, 6 filesdep +QuickCheckdep +SimpleAESdep +basesetup-changed
Dependencies added: QuickCheck, SimpleAES, base, base64-bytestring, bytestring, hspec, string-conversions
Files
- LICENSE +30/−0
- Setup.hs +2/−0
- dsc.cabal +57/−0
- src/Web/Csrf.hs +44/−0
- test/CsrfSpec.hs +36/−0
- test/Spec.hs +1/−0
+ LICENSE view
@@ -0,0 +1,30 @@+Copyright Author name here (c) 2017++All rights reserved.++Redistribution and use in source and binary forms, with or without+modification, are permitted provided that the following conditions are met:++ * Redistributions of source code must retain the above copyright+ notice, this list of conditions and the following disclaimer.++ * Redistributions in binary form must reproduce the above+ copyright notice, this list of conditions and the following+ disclaimer in the documentation and/or other materials provided+ with the distribution.++ * Neither the name of Author name here nor the names of other+ contributors may be used to endorse or promote products derived+ from this software without specific prior written permission.++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ Setup.hs view
@@ -0,0 +1,2 @@+import Distribution.Simple+main = defaultMain
+ dsc.cabal view
@@ -0,0 +1,57 @@+-- This file has been generated from package.yaml by hpack version 0.17.0.+--+-- see: https://github.com/sol/hpack++name: dsc+version: 0.1.0+synopsis: Helper functions for setting up Double Submit Cookie defense for forms+description: See README at <https://github.com/qoelet/dsc#readme>+homepage: https://github.com/qoelet/storeviva-login#readme+bug-reports: https://github.com/qoelet/storeviva-login/issues+license: MIT+license-file: LICENSE+maintainer: Kenny Shen <kenny@machinesung.com>+category: Web+build-type: Simple+cabal-version: >= 1.10++source-repository head+ type: git+ location: https://github.com/qoelet/storeviva-login++library+ hs-source-dirs:+ src+ ghc-options: -Wall+ exposed-modules:+ Web.Csrf+ other-modules:+ Paths_dsc+ build-depends:+ base >= 4.7 && < 5+ , base64-bytestring+ , bytestring+ , SimpleAES+ , string-conversions+ default-language: Haskell2010++test-suite spec+ type: exitcode-stdio-1.0+ main-is: Spec.hs+ hs-source-dirs:+ test+ src+ ghc-options: -Wall+ cpp-options: -DTEST+ build-depends:+ base >= 4.7 && < 5+ , base64-bytestring+ , bytestring+ , SimpleAES+ , string-conversions+ , hspec == 2.*+ , QuickCheck+ other-modules:+ CsrfSpec+ Web.Csrf+ default-language: Haskell2010
+ src/Web/Csrf.hs view
@@ -0,0 +1,44 @@+module Web.Csrf (+ Csrf (..)+, CsrfCheckResult (..)+, mkCsrf+, getCsrf+, runCheck+) where++import Codec.Crypto.SimpleAES+import Data.ByteString+import Data.ByteString.Base64+import Data.String.Conversions++newtype Token = MkToken ByteString+ deriving (Eq, Show)++data CsrfCheckResult = Invalid | Valid+ deriving (Eq, Show)++data Csrf = Csrf {+ cookie :: Token+, formToken :: Token+, validationResult :: Maybe CsrfCheckResult+} deriving (Eq, Show)++runCheck :: Key -> Csrf -> Csrf+runCheck key csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }+ where+ result = case (decode c, decode t) of+ (Right c', Right t') ->+ if decryptMsg ECB key (cs c') == decryptMsg ECB key (cs t')+ then Valid+ else Invalid+ _ -> Invalid++getCsrf :: Key -> IO Csrf+getCsrf key = do+ secret <- randomKey+ c <- encryptMsg ECB key (cs secret)+ t <- encryptMsg ECB key (cs secret)+ return $ Csrf (MkToken (encode . cs $ c)) (MkToken (encode . cs $ t)) Nothing++mkCsrf :: Key -> ByteString -> ByteString -> Csrf+mkCsrf key c t = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)
+ test/CsrfSpec.hs view
@@ -0,0 +1,36 @@+{-# LANGUAGE OverloadedStrings #-}++module CsrfSpec where++import Codec.Crypto.SimpleAES+import Data.ByteString.Base64+import Data.String.Conversions+import Test.Hspec+import Test.QuickCheck+import Test.QuickCheck.Monadic as Q++import Web.Csrf++spec :: Spec+spec = do+ describe "getCsrf" $+ it "should generating matching tokens" $+ property propGetCsrfShouldAlwaysBeValid+ describe "runCheck" $+ it "should invalidate if csrf tokens do not match" $+ property propTokenMisMatchShouldBeInvalid++propGetCsrfShouldAlwaysBeValid :: Property+propGetCsrfShouldAlwaysBeValid = Q.monadicIO $ do+ testKey <- Q.run randomKey+ myCsrf <- Q.run (getCsrf testKey)+ Q.assert $ validationResult (runCheck testKey myCsrf) == Just Valid++propTokenMisMatchShouldBeInvalid :: Property+propTokenMisMatchShouldBeInvalid = Q.monadicIO $ do+ testKey <- Q.run randomKey+ secret <- Q.run randomKey+ cookieToken <- Q.run $ encryptMsg ECB testKey (cs secret)+ let badToken = "Foo"+ myCsrf = mkCsrf testKey (encode . cs $ cookieToken) badToken+ Q.assert $ validationResult (runCheck testKey myCsrf) == Just Invalid
+ test/Spec.hs view
@@ -0,0 +1,1 @@+{-# OPTIONS_GHC -F -pgmF hspec-discover #-}