From f5c8ba0cff3a092ca3991383e9951be1e37055af Mon Sep 17 00:00:00 2001 From: Tim McGilchrist Date: Fri, 3 Nov 2023 00:27:16 +1100 Subject: [PATCH] Update dream-mirage (#283) Mainly to provide csrf_tag rather than form_tag helper. --- dream-mirage.opam | 2 +- src/mirage/mirage.ml | 7 ------ src/mirage/mirage.mli | 55 +++++++++++++++++-------------------------- 3 files changed, 23 insertions(+), 41 deletions(-) diff --git a/dream-mirage.opam b/dream-mirage.opam index 0c0e90f2..5ddbcc15 100644 --- a/dream-mirage.opam +++ b/dream-mirage.opam @@ -59,7 +59,7 @@ depends: [ "letsencrypt" {>= "0.3.0"} "lwt" "lwt_ppx" {>= "1.2.2"} - "mimic" + "mimic" {>= "0.0.5"} "mirage-time" "rresult" "tcpip" diff --git a/src/mirage/mirage.ml b/src/mirage/mirage.ml index 6f5f5a09..86af0c20 100644 --- a/src/mirage/mirage.ml +++ b/src/mirage/mirage.ml @@ -343,13 +343,6 @@ module Make (Pclock : Mirage_clock.PCLOCK) (Time : Mirage_time.S) (Stack : Tcpip let verify_csrf_token = verify_csrf_token ~now let csrf_tag = Tag.csrf_tag ~now - (* Templates *) - - let form_tag ?method_ ?target ?enctype ?csrf_token ~action request = - Tag.form_tag ~now ?method_ ?target ?enctype ?csrf_token ~action request - - - (* Errors *) type error = Catch.error = { diff --git a/src/mirage/mirage.mli b/src/mirage/mirage.mli index 177860ed..99f8f31f 100644 --- a/src/mirage/mirage.mli +++ b/src/mirage/mirage.mli @@ -908,14 +908,15 @@ module Make (** {1 Forms} - {!Dream.form_tag} and {!Dream.val-form} round-trip secure forms. - {!Dream.form_tag} is used inside a template to generate a form header with a - CSRF token: + {!Dream.csrf_tag} and {!Dream.val-form} round-trip secure forms. + {!Dream.csrf_tag} is used inside a form template to generate a hidden field + with a CSRF token: {[ - <%s! Dream.form_tag ~action:"/" request %> - - +
+ <%s! Dream.csrf_tag request %> + +
]} {!Dream.val-form} recieves the form and checks the CSRF token: @@ -953,13 +954,13 @@ module Make val form : ?csrf:bool -> request -> (string * string) list form_result promise (** Parses the request body as a form. Performs CSRF checks. Use - {!Dream.form_tag} in a template to transparently generate forms that will + {!Dream.csrf_tag} in a template to transparently generate forms that will pass these checks. See {!section-templates} and example {{:https://github.com/aantron/dream/tree/master/example/d-form#readme} [d-form]}. - [Content-Type:] must be [application/x-www-form-urlencoded]. - - The form must have a field named [dream.csrf]. {!Dream.form_tag} adds such + - The form must have a field named [dream.csrf]. {!Dream.csrf_tag} adds such a field. - {!Dream.form} calls {!Dream.verify_csrf_token} to check the token in [dream.csrf]. @@ -1100,8 +1101,9 @@ module Make It's usually not necessary to handle CSRF tokens directly. - - Form tag generator {!Dream.form_tag} generates and inserts a CSRF token - that {!Dream.val-form} and {!Dream.val-multipart} transparently verify. + - CSRF token field generator {!Dream.csrf_tag} generates and inserts a CSRF + token that {!Dream.val-form} and {!Dream.val-multipart} transparently + verify. - AJAX can be protected from CSRF by {!Dream.origin_referrer_check}. CSRF functions are exposed for creating custom schemes, and for @@ -1136,8 +1138,6 @@ module Make val verify_csrf_token : request -> string -> csrf_result promise (** Checks that the CSRF token is valid for the {!type-request}'s session. *) - val csrf_tag : request -> string - (** {1 Templates} Dream includes a template preprocessor that allows interleaving OCaml and @@ -1223,20 +1223,13 @@ module Make unquoted attribute values, CSS in [