public bool Equals(CsrfToken other) { if (ReferenceEquals(null, other)) return false; if (ReferenceEquals(this, other)) return true; return this.RandomBytes.SequenceEqual(other.RandomBytes) && other.CreatedDate.Equals(this.CreatedDate) && this.Hmac.SequenceEqual(other.Hmac); }
public void Should_return_token_ok_if_tokens_match_and_no_expiry_set() { DateTime date = DateTime.Now; var tokenOne = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; var tokenTwo = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; tokenOne.CreateHmac(this.hmacProvider); tokenTwo.CreateHmac(this.hmacProvider); var result = this.validator.Validate(tokenOne, tokenTwo); result.ShouldEqual(CsrfTokenValidationResult.Ok); }
public void Should_return_token_mismatch_if_tokens_differ() { DateTime date = DateTime.Now; var tokenOne = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; var tokenTwo = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 4, 3 } }; tokenOne.CreateHmac(this.hmacProvider); tokenTwo.CreateHmac(this.hmacProvider); var result = this.validator.Validate(tokenOne, tokenTwo); result.ShouldEqual(CsrfTokenValidationResult.TokenMismatch); }
public void Should_return_token_mismatch_if_random_bytes_empty() { DateTime date = DateTime.Now; var tokenOne = new CsrfToken { CreatedDate = date, RandomBytes = ArrayCache.Empty<byte>() }; var tokenTwo = new CsrfToken { CreatedDate = date, RandomBytes = ArrayCache.Empty<byte>() }; tokenOne.CreateHmac(this.hmacProvider); tokenTwo.CreateHmac(this.hmacProvider); var result = this.validator.Validate(tokenOne, tokenTwo); result.ShouldEqual(CsrfTokenValidationResult.TokenTamperedWith); }
private static CsrfToken GetCookieToken(Request request) { CsrfToken cookieToken = null; string cookieTokenString; if (request.Cookies.TryGetValue(CsrfToken.DEFAULT_CSRF_KEY, out cookieTokenString)) { cookieToken = (CsrfToken)CsrfStartup.ObjectSerializer.Deserialize(HttpUtility.UrlDecode(cookieTokenString)); } return(cookieToken); }
private static CsrfToken GetCookieToken(Request request) { CsrfToken cookieToken = null; string cookieTokenString; if (request.Cookies.TryGetValue(CsrfToken.DEFAULT_CSRF_KEY, out cookieTokenString)) { cookieToken = ParseToCsrfToken(cookieTokenString); } return(cookieToken); }
private static CsrfToken GetFormToken(Request request) { CsrfToken formToken = null; var formTokenString = request.Form[CsrfToken.DEFAULT_CSRF_KEY].Value; if (formTokenString != null) { formToken = (CsrfToken)CsrfStartup.ObjectSerializer.Deserialize(formTokenString); } return(formToken); }
private static CsrfToken GetProvidedToken(Request request) { CsrfToken providedToken = null; var providedTokenString = request.Form[CsrfToken.DEFAULT_CSRF_KEY].Value ?? request.Headers[CsrfToken.DEFAULT_CSRF_KEY].FirstOrDefault(); if (providedTokenString != null) { providedToken = ParseToCsrfToken(providedTokenString); } return(providedToken); }
/// <summary> /// Creates a new csrf token for this response with an optional salt. /// Only necessary if a particular route requires a new token for each request. /// </summary> /// <param name="module">Nancy module</param> /// <returns></returns> public static void CreateNewCsrfToken(this INancyModule module) { var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(CsrfApplicationStartup.CryptographyConfiguration.HmacProvider); var tokenString = CsrfApplicationStartup.ObjectSerializer.Serialize(token); module.Context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString; }
private static CsrfToken GetCookieToken(Request request) { CsrfToken cookieToken = null; string cookieTokenString; if (request.Cookies.TryGetValue(CsrfToken.DEFAULT_CSRF_KEY, out cookieTokenString)) { cookieToken = CsrfApplicationStartup.ObjectSerializer.Deserialize(cookieTokenString) as CsrfToken; } return(cookieToken); }
private static CsrfToken GetProvidedToken(Request request) { CsrfToken providedToken = null; var providedTokenString = request.Form[CsrfToken.DEFAULT_CSRF_KEY].Value ?? request.Headers[CsrfToken.DEFAULT_CSRF_KEY].FirstOrDefault(); if (providedTokenString != null) { providedToken = CsrfApplicationStartup.ObjectSerializer.Deserialize(providedTokenString) as CsrfToken; } return(providedToken); }
public void Should_return_token_tampered_with_if_hmac_incorrect() { DateTime date = DateTime.Now; var tokenOne = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; var tokenTwo = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; tokenOne.CreateHmac(this.hmacProvider); tokenTwo.CreateHmac(this.hmacProvider); tokenOne.Hmac[0] -= 1; tokenTwo.Hmac[0] -= 1; var result = this.validator.Validate(tokenOne, tokenTwo); result.ShouldEqual(CsrfTokenValidationResult.TokenTamperedWith); }
/// <summary> /// Creates a new csrf token for this response with an optional salt. /// Only necessary if a particular route requires a new token for each request. /// </summary> /// <param name="module">Nancy module</param> /// <returns></returns> public static void CreateNewCsrfToken(this NancyModule module) { var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(CsrfApplicationStartup.CryptographyConfiguration.HmacProvider); var tokenString = CsrfApplicationStartup.ObjectSerializer.Serialize(token); module.Context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString; }
/// <summary> /// Creates a new csrf token with an optional salt. /// Does not store the token in context. /// </summary> /// <returns>The generated token</returns> internal static string GenerateTokenString(CryptographyConfiguration cryptographyConfiguration = null) { cryptographyConfiguration = cryptographyConfiguration ?? CsrfApplicationStartup.CryptographyConfiguration; var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(cryptographyConfiguration.HmacProvider); var tokenString = CsrfApplicationStartup.ObjectSerializer.Serialize(token); return(tokenString); }
public bool Equals(CsrfToken other) { if (ReferenceEquals(null, other)) { return(false); } if (ReferenceEquals(this, other)) { return(true); } return(this.RandomBytes.SequenceEqual(other.RandomBytes) && other.CreatedDate.Equals(this.CreatedDate) && this.Hmac.SequenceEqual(other.Hmac)); }
/// <summary> /// Enables Csrf token generation. /// This is disabled by default. /// </summary> /// <param name="pipelines">Application pipelines</param> public static void Enable(IPipelines pipelines, CryptographyConfiguration cryptographyConfiguration = null) { cryptographyConfiguration = cryptographyConfiguration ?? CsrfApplicationStartup.CryptographyConfiguration; var postHook = new PipelineItem <Action <NancyContext> >( CsrfHookName, context => { if (context.Response == null || context.Response.Cookies == null || context.Request.Method.Equals("OPTIONS", StringComparison.OrdinalIgnoreCase)) { return; } if (context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, (string)context.Items[CsrfToken.DEFAULT_CSRF_KEY], true)); return; } if (context.Request.Cookies.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { var decodedValue = HttpUtility.UrlDecode(context.Request.Cookies[CsrfToken.DEFAULT_CSRF_KEY]); var cookieToken = CsrfApplicationStartup.ObjectSerializer.Deserialize(decodedValue) as CsrfToken; if (CsrfApplicationStartup.TokenValidator.CookieTokenStillValid(cookieToken)) { context.Items[CsrfToken.DEFAULT_CSRF_KEY] = decodedValue; return; } } var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(cryptographyConfiguration.HmacProvider); var tokenString = CsrfApplicationStartup.ObjectSerializer.Serialize(token); context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString; context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, tokenString, true)); }); pipelines.AfterRequest.AddItemToEndOfPipeline(postHook); }
/// <summary> /// Enables Csrf token generation. /// This is disabled by default. /// </summary> /// <param name="pipelines">Application pipelines</param> public static void Enable(IPipelines pipelines, CryptographyConfiguration cryptographyConfiguration = null) { cryptographyConfiguration = cryptographyConfiguration ?? CsrfApplicationStartup.CryptographyConfiguration; var postHook = new PipelineItem<Action<NancyContext>>( CsrfHookName, context => { if (context.Response == null || context.Response.Cookies == null || context.Request.Method.Equals("OPTIONS", StringComparison.OrdinalIgnoreCase)) { return; } if (context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, (string)context.Items[CsrfToken.DEFAULT_CSRF_KEY], true)); return; } if (context.Request.Cookies.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { var decodedValue = HttpUtility.UrlDecode(context.Request.Cookies[CsrfToken.DEFAULT_CSRF_KEY]); var cookieToken = CsrfApplicationStartup.ObjectSerializer.Deserialize(decodedValue) as CsrfToken; if (CsrfApplicationStartup.TokenValidator.CookieTokenStillValid(cookieToken)) { context.Items[CsrfToken.DEFAULT_CSRF_KEY] = decodedValue; return; } } var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(cryptographyConfiguration.HmacProvider); var tokenString = CsrfApplicationStartup.ObjectSerializer.Serialize(token); context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString; context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, tokenString, true)); }); pipelines.AfterRequest.AddItemToEndOfPipeline(postHook); }
/// <summary> /// Validates a pair of tokens /// </summary> /// <param name="tokenOne">First token (usually from either a form post or querystring)</param> /// <param name="tokenTwo">Second token (usually from a cookie)</param> /// <param name="validityPeriod">Optional period that the tokens are valid for</param> /// <returns>Token validation result</returns> public CsrfTokenValidationResult Validate(CsrfToken tokenOne, CsrfToken tokenTwo, TimeSpan?validityPeriod = new TimeSpan?()) { if (tokenOne == null || tokenTwo == null) { return(CsrfTokenValidationResult.TokenMissing); } if (!tokenOne.Equals(tokenTwo)) { return(CsrfTokenValidationResult.TokenMismatch); } if (tokenOne.RandomBytes == null || tokenOne.RandomBytes.Length == 0) { return(CsrfTokenValidationResult.TokenTamperedWith); } var newToken = new CsrfToken { CreatedDate = tokenOne.CreatedDate, RandomBytes = tokenOne.RandomBytes, }; newToken.CreateHmac(this.hmacProvider); if (!newToken.Hmac.SequenceEqual(tokenOne.Hmac)) { return(CsrfTokenValidationResult.TokenTamperedWith); } if (validityPeriod.HasValue) { var expiryDate = tokenOne.CreatedDate.Add(validityPeriod.Value); if (DateTime.Now > expiryDate) { return(CsrfTokenValidationResult.TokenExpired); } } return(CsrfTokenValidationResult.Ok); }
/// <summary> /// Validates that a cookie token is still valid with the current configuration / keys /// </summary> /// <param name="cookieToken">Token to validate</param> /// <returns>True if valid, false otherwise</returns> public bool CookieTokenStillValid(CsrfToken cookieToken) { if (cookieToken == null || cookieToken.RandomBytes == null || cookieToken.RandomBytes.Length == 0) { return false; } var newToken = new CsrfToken { CreatedDate = cookieToken.CreatedDate, RandomBytes = cookieToken.RandomBytes, }; newToken.CreateHmac(this.hmacProvider); if (!newToken.Hmac.SequenceEqual(cookieToken.Hmac)) { return false; } return true; }
/// <summary> /// Creates a new csrf token with an optional salt. /// Does not store the token in context. /// </summary> /// <returns>The generated token</returns> internal static string GenerateTokenString(CryptographyConfiguration cryptographyConfiguration = null) { cryptographyConfiguration = cryptographyConfiguration ?? CsrfApplicationStartup.CryptographyConfiguration; var token = new CsrfToken { CreatedDate = DateTimeOffset.Now }; token.CreateRandomBytes(); token.CreateHmac(cryptographyConfiguration.HmacProvider); var builder = new StringBuilder(); builder.AppendFormat("RandomBytes{0}{1}", ValueDelimiter, Convert.ToBase64String(token.RandomBytes)); builder.Append(PairDelimiter); builder.AppendFormat("Hmac{0}{1}", ValueDelimiter, Convert.ToBase64String(token.Hmac)); builder.Append(PairDelimiter); builder.AppendFormat("CreatedDate{0}{1}", ValueDelimiter, token.CreatedDate.ToString("o", CultureInfo.InvariantCulture)); return(builder.ToString()); }
/// <summary> /// Enables Csrf token generation. /// This is enabled automatically so there should be no reason to call this manually. /// </summary> /// <param name="pipelines">Application pipelines</param> public static void Enable(IPipelines pipelines) { var postHook = new PipelineItem <Action <NancyContext> >( CsrfHookName, context => { if (context.Response == null || context.Response.Cookies == null) { return; } if (context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, (string)context.Items[CsrfToken.DEFAULT_CSRF_KEY], true)); return; } if (context.Request.Cookies.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { context.Items[CsrfToken.DEFAULT_CSRF_KEY] = HttpUtility.UrlDecode(context.Request.Cookies[CsrfToken.DEFAULT_CSRF_KEY]); return; } var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(CsrfStartup.CryptographyConfiguration.HmacProvider); var tokenString = CsrfStartup.ObjectSerializer.Serialize(token); context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString; context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, tokenString, true)); }); pipelines.AfterRequest.AddItemToEndOfPipeline(postHook); }
/// <summary> /// Validates a pair of tokens /// </summary> /// <param name="tokenOne">First token (usually from either a form post or querystring)</param> /// <param name="tokenTwo">Second token (usually from a cookie)</param> /// <param name="validityPeriod">Optional period that the tokens are valid for</param> /// <returns>Token validation result</returns> public CsrfTokenValidationResult Validate(CsrfToken tokenOne, CsrfToken tokenTwo, TimeSpan? validityPeriod = new TimeSpan?()) { if (tokenOne == null || tokenTwo == null) { return CsrfTokenValidationResult.TokenMissing; } if (!tokenOne.Equals(tokenTwo)) { return CsrfTokenValidationResult.TokenMismatch; } if (tokenOne.RandomBytes == null || tokenOne.RandomBytes.Length == 0) { return CsrfTokenValidationResult.TokenTamperedWith; } var newToken = new CsrfToken { CreatedDate = tokenOne.CreatedDate, RandomBytes = tokenOne.RandomBytes, }; newToken.CreateHmac(this.hmacProvider); if (!newToken.Hmac.SequenceEqual(tokenOne.Hmac)) { return CsrfTokenValidationResult.TokenTamperedWith; } if (validityPeriod.HasValue) { var expiryDate = tokenOne.CreatedDate.Add(validityPeriod.Value); if (DateTime.Now > expiryDate) { return CsrfTokenValidationResult.TokenExpired; } } return CsrfTokenValidationResult.Ok; }
/// <summary> /// Enables Csrf token generation. /// This is enabled automatically so there should be no reason to call this manually. /// </summary> /// <param name="pipelines">Application pipelines</param> public static void Enable(IPipelines pipelines) { var postHook = new PipelineItem<Action<NancyContext>>( CsrfHookName, context => { if (context.Response == null || context.Response.Cookies == null) { return; } if (context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, (string)context.Items[CsrfToken.DEFAULT_CSRF_KEY], true)); return; } if (context.Request.Cookies.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY)) { context.Items[CsrfToken.DEFAULT_CSRF_KEY] = HttpUtility.UrlDecode(context.Request.Cookies[CsrfToken.DEFAULT_CSRF_KEY]); return; } var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(CsrfStartup.CryptographyConfiguration.HmacProvider); var tokenString = CsrfStartup.ObjectSerializer.Serialize(token); context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString; context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, tokenString, true)); }); pipelines.AfterRequest.AddItemToEndOfPipeline(postHook); }
/// <summary> /// Validates that a cookie token is still valid with the current configuration / keys /// </summary> /// <param name="cookieToken">Token to validate</param> /// <returns>True if valid, false otherwise</returns> public bool CookieTokenStillValid(CsrfToken cookieToken) { if (cookieToken == null || cookieToken.RandomBytes == null || cookieToken.RandomBytes.Length == 0) { return(false); } var newToken = new CsrfToken { CreatedDate = cookieToken.CreatedDate, RandomBytes = cookieToken.RandomBytes, }; newToken.CreateHmac(this.hmacProvider); if (!newToken.Hmac.SequenceEqual(cookieToken.Hmac)) { return(false); } return(true); }
/// <summary> /// Creates a new csrf token with an optional salt. /// Does not store the token in context. /// </summary> /// <returns>The generated token</returns> internal static string GenerateTokenString(CryptographyConfiguration cryptographyConfiguration = null) { cryptographyConfiguration = cryptographyConfiguration ?? CsrfApplicationStartup.CryptographyConfiguration; var token = new CsrfToken { CreatedDate = DateTime.Now, }; token.CreateRandomBytes(); token.CreateHmac(cryptographyConfiguration.HmacProvider); var tokenString = CsrfApplicationStartup.ObjectSerializer.Serialize(token); return tokenString; }
public void Should_return_token_expired_if_it_has() { DateTime date = DateTime.Now.AddHours(-1); var tokenOne = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; var tokenTwo = new CsrfToken { CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 } }; tokenOne.CreateHmac(this.hmacProvider); tokenTwo.CreateHmac(this.hmacProvider); var result = this.validator.Validate(tokenOne, tokenTwo, validityPeriod: new TimeSpan(0, 30, 0)); result.ShouldEqual(CsrfTokenValidationResult.TokenExpired); }
/// <summary> /// Gets a byte array representation of the csrf token for generating /// hmacs /// </summary> /// <param name="token">Token</param> /// <returns>Byte array representing the token</returns> public static byte[] GetCsrfTokenBytes(this CsrfToken token) { return(token.RandomBytes .Concat(BitConverter.GetBytes(token.CreatedDate.UtcTicks)) .ToArray()); }
/// <summary> /// Calculates and sets the Hmac property on a given token /// </summary> /// <param name="token">Token</param> /// <param name="hmacProvider">Hmac provider to use</param> /// <returns>Hmac bytes</returns> public static void CreateHmac(this CsrfToken token, IHmacProvider hmacProvider) { token.Hmac = hmacProvider.GenerateHmac(token.GetCsrfTokenBytes()); }