Provides support for CSRF token generation and validation using the Microsoft.AspNetCore.Antiforgery package.
Ensure that you've added Antiforgery services to the IoC Container via
services.AddAntiforgery().
open Giraffe.Antiforgery
open Giraffe.GiraffeViewEngine.Antiforgery
// rest of code
let formView (token : AntiforgeryTokenSet) =
html [] [
body [] [
form [ _method "post" ] [
antiforgeryInput token
input [ _type "submit"; _value "Submit" ]
]
]
]
let csrfHandler (token : AntiforgeryTokenSet) : HttpHandler =
fun (next: HttpFunc) (ctx : HttpContext) ->
htmlView (formView token) next ctx
let webApp =
choose [
GET >=> choose [
// using htmlView helper
route "/token" >=> choose [
GET >=> csrfHtmlView formView
POST >=> requiresCsrfToken (text "intruder!") >=> text "oh hi there ;)"
]
// manual token handler
route "/token" >=> choose [
GET >=> csrfTokenizer csrfHandler
POST >=> requiresCsrfToken (text "intruder!") >=> text "oh hi there ;)"
]
route "/" >=> text "hello"
]
RequestErrors.NOT_FOUND "Not Found"
]
// rest of codeGenerates a CSRF token using the Microsoft.AspNetCore.Antiforgery package, which is fed into the provided handler.
csrfTokenizer: (handler : AntiforgeryTokenSet -> HttpHandler) -> (next: HttpFunc) -> (ctx : HttpContext) -> HttpFuncResultInjects a newly generated CSRF token into a Giraffe.GiraffeViewEngine.XmlNode. Think enriched htmlView.
csrfHtmlView: (view : AntiforgeryTokenSet -> XmlNode) -> (next: HttpFunc) -> (ctx : HttpContext) -> HttpFuncResultChecks the presence and validity of CSRF token and calls invalidTokenHandler on failure. Analogous to requiresAuthentication.
requiresCsrfToken: (invalidTokenHandler : HttpHandler) -> (next: HttpFunc) -> (ctx : HttpContext) -> HttpFuncResultGenerates the hidden CSRF input using the Giraffe.GiraffeViewEngine
antiforgeryInput (token : AntiforgeryTokenSet) -> XmlNodeRequires
open Giraffe.GiraffeViewEngine.Antiforgery