Support Authorisation

[ebebbington]

Possible duplicate of #28 ?

Summary

What:

Support authorisation, where web apps or API's might use CSRF tokens to protect endpoints

In my own case, the user needs to make a req to /, they get a CSRF token, that allows them to authenticate against the other endpoints. Because Sinco doesn't hold onto any sessions/headers/cookies etc, when it makes a request to my protected endpoint (even if i GET / first), i get a "No CSRF token passed in"

Why:

A lot of apps use this, without this feauture, it means many people/companies won't be able to adopt Sinco

Acceptance Criteria

Below is a list of tasks that must be completed before this issue can be closed.

• Write documentation
• Write unit tests
• Write integration tests

Example Pseudo Code (for implementation)

// Add example pseudo code for implementation

[ebebbington]

My thinking around this is:

• We should add a setCookie method to the api, that adds a cookie to the browser instance. This makes it easy if someone wants to access a protected resource(eg using csrf), they can just pass in a valid token
• A way to hold onto cookies across navigating pages, so say a user enters the home page (that gives them a token), they can now access other resources

Example:

// So i have two resources:
//   - home
//   - users
// Home reosurce gives you a csrf token, users resource requires a token to access the page

// Enter the users page directly
import { csrf } from "./middleware/csrf.ts" // drash middleware
const token = csrf.token
const Chrome = await buildFor("chrome")
await Chrome.setCookie("X-CSRF-TOKEN", token)
await Chrome.goto("localhost/users") // ok
await Chrome.assertSee("you are authed and on this page") // ok

// You enter the home page first to get the token, then go to the users page
await Chrome.goto("localhost") // saves the cookies for the session
await Chrome.goto("localhost/users") // ok, because the cookies for the browser has passed over

Thoughts?