Add CSRF protection

[josephmancuso]

So this will require a few moving parts here.

So how CSRF works is that there is a random key generated (like 8yr8738b8b87b8br48gf84b7bv) at the start of each request. This changes on every request so it needs to be random.

This token can be used inside forms so there needs to be a {{ csrf_field() }} function which just points to the request.get_csrf() method or something. Check the HelpersProvider for how helper functions work. Especially in templates (it uses the View.share) method.

Then when the request is submitted via POST, the CSRF token outputted by the csrf_field() function is checked against the one that was at the start of the request. If it's the same then the request was made by the current. If it wasn't then there is something wrong and it should throw an exception like InvalidCSRFToken

Now there is something to be aware of and that is that not all routes should have to be CSRF protected. It should be up to the developer to choose the ones that are not protected (all routes should be protected by default).

What I'm thinking of is that only new CSRF tokens should be generated if it is a GET request. This allows you to have a POST request and check if the CSRF token is valid

Please let me know if you have any questions

[mapeveri]

I think it's pretty clear, what I think is that all routes must have csrf, now if a route does not need that protection, you should use some method or function, csrf_except or something similar.

[josephmancuso]

Should we do it in the routes.py file?

Post().route('url', 'controller').name('url').no_csrf()

or something like that?

This MAY create some complications when checking if its valid. but may not. We'd have to test

[mapeveri]

Yes, exactly.

[josephmancuso]

or option 2 would be to create a list of routes in a configuration file but meh. I like the speed involved in the routes file

[josephmancuso]

ok good

[josephmancuso]

I say a good route here is that unless I'm thinking wrong, Get() should not have a no_csrf() method on it. So we can do like option 1 from the contracts issue where the Base class (check the masonite/routes.py) file should have a NotImplemented and only the Post class should override it and the Get will throw an exception. Just in case people don't realize it's only for POST requests.

CSRF is not needed for GET requests correct?

[josephmancuso]

also remember that the Request object is instantiated before the server starts. So every time the request is made, its the same request object as the last request. Use that to your advantage. Think of it as a singleton

[mapeveri]

It's true for GET requests not is necessary the csrf protection, is more, for GET request It doesn't add protection, but the opposite, makes a possible attack in the site.