Skip to content

Commit

Permalink
Further improve CSRF error messages
Browse files Browse the repository at this point in the history 
	* Recommend checking if the HTTP client is persisting cookies
  • Loading branch information
@MaxGabriel
MaxGabriel committed Nov 18, 2017
1 parent c344f16 commit 54daba6
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions yesod-core/Yesod/Core/Handler.hs
View file
Expand Up @@ -1576,11 +1576,18 @@ data CSRFExpectation = CSRFHeader Text (Maybe Text) -- Key/Value

csrfErrorMessage :: [CSRFExpectation]
-> Text -- ^ Error message
csrfErrorMessage expectedLocations = "A valid CSRF token wasn't present. Because the request could have been forged, it's been rejected altogether. Check the Yesod.Core.Handler docs of the yesod-core package for details on CSRF protection.\nTip: By default, the CSRF token is sent to the client in a cookie named " `mappend` (decodeUtf8 defaultCsrfCookieName) `mappend` ".\nTip: The server is looking for the token in the following locations:\n" `mappend` T.intercalate "\n" (map csrfLocation expectedLocations)
csrfErrorMessage expectedLocations = T.intercalate "\n"
[ "A valid CSRF token wasn't present. Because the request could have been forged, it's been rejected altogether."
, "If you're a developer of this site, these tips will help you debug the issue:"
, "- Read the Yesod.Core.Handler docs of the yesod-core package for details on CSRF protection."
, "- Check that your HTTP client is persisting cookies between requests, like a browser does."
, "- By default, the CSRF token is sent to the client in a cookie named " `mappend` (decodeUtf8 defaultCsrfCookieName) `mappend` "."
, "- The server is looking for the token in the following locations:\n" `mappend` T.intercalate "\n" (map csrfLocation expectedLocations)
]

where csrfLocation expected = case expected of
CSRFHeader k v -> T.concat ["- An HTTP header named ", k, " ", (formatValue v)]
CSRFParam k v -> T.concat ["- A POST parameter named ", k, " ", (formatValue v)]
CSRFHeader k v -> T.intercalate " " [" - An HTTP header named", k, (formatValue v)]
CSRFParam k v -> T.intercalate " " [" - A POST parameter named", k, (formatValue v)]

formatValue :: Maybe Text -> Text
formatValue maybeText = case maybeText of
Expand Down

0 comments on commit 54daba6

Please sign in to comment.