forked from conjured/silverfish
cutest lil ecommerce system you've ever seen
- Rust 81.6%
- HTML 8.7%
- TypeScript 3%
- Fluent 2.7%
- CSS 1.9%
- Other 2.1%
|
Kyle Lacy
be6e7d44b5
Use
tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
Fixes: conjured/silverfish#197 This PR replaces all of our existing [CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF) machinery ([`axum_csrf`](https://crates.io/crates/axum_csrf) plus our `silverfish-middleware-csrf` crate) with [`tower-sec-fetch`](https://crates.io/crates/tower-sec-fetch) instead. The high-level idea is to avoid the classic approaches for CSRF protections (i.e. using cookies and/or random tokens), and to instead rely entirely (or almost entirely) on the [`Sec-Fetch-*`](https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header) family of request headers. For modern browsers, this protects against CSRF attacks just as well as the classic approaches, but is _much_ simpler to implement (and therefore leaves a lot less room for security vulnerabilities). For more reading, I found these articles really helpful, and used them to guide my implementation: - https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields - https://words.filippo.io/csrf/ I used [`tower-sec-fetch`](https://github.com/MatteoJoliveau/tower-sec-fetch), which-- as the name implies-- gives us a `tower` layer to check the `Sec-Fetch-*` headers! But I ended up adding a custom [`SecFetchAuthorizer`](https://docs.rs/tower-sec-fetch/0.1.2/tower_sec_fetch/trait.SecFetchAuthorizer.html) too, to tweak the behavior: - Reject `Sec-Fetch-Site: same-site` requests (redundant if this PR is merged upstream: https://github.com/MatteoJoliveau/tower-sec-fetch/pull/5) - Check by origin as a fallback (if the `Origin` header is set but the `Sec-Fetch-Site` header is not) Finally, I ripped out _all_ the old CSRF stuff, which was really satisfying! `axum_csrf` is gone, our custom `AuthenticForm` / `AuthenticMultipart` extractors are gone, the entire `silverfish-middleware-csrf` crate is gone, `csrf-salt` in the config is gone, all the CSRF token form inputs are gone. Reviewed-on: conjured/silverfish#203 Reviewed-by: Kat Marchán <zkat@noreply.codeberg.org> Co-authored-by: Kyle Lacy <kylelacy@kyle.space> Co-committed-by: Kyle Lacy <kylelacy@kyle.space> |
||
|---|---|---|
| .cargo | Moving db stuff out into separate crates ( #116 ) | |
| .forgejo/workflows | #150 : Add a musl release ( #183 ) | |
| config |
Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
|
|
| contrib/systemd |
Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
|
|
| crates |
Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
|
|
| docker | flatten silverfish-stall into a single top level silverfish again | |
| src |
Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
|
|
| src-frontend | set up some basic view and controller testing ( #184 ) | |
| stall-prototype | Upload files to "stall-prototype" | |
| static | flatten silverfish-stall into a single top level silverfish again | |
| .env | login/auth/admin creation/etc ( #43 ) | |
| .gitignore | #150 : Add a musl release ( #183 ) | |
| .rustfmt.toml | initial commit | |
| askama.toml | flatten silverfish-stall into a single top level silverfish again | |
| Cargo.lock |
Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
|
|
| Cargo.toml |
Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
|
|
| flake.lock | Add nix flake to repo ( #38 ) | |
| flake.nix | Fix flake.nix, allow sourcing dependencies with git ( #100 ) | |
| i18n.toml | flatten silverfish-stall into a single top level silverfish again | |
| Justfile | set up some basic view and controller testing ( #184 ) | |
| LICENSE.md | Rename license | |
| README.md |
doc: document setting smtp-from for dev setup ( #200 )
|
|
| rust-toolchain.toml | bump rust version ( #174 ) | |
silverfish
new kid on the block
Requirements
- Rust 1.91.1 or later w/ Cargo (use rustup)
- Node.js 20 or later
- (optional)
watchexec - (optional)
just: Can be installed withcargo install just
Getting Started
- (optional) Copy
./config/dev.secret.example.kdlto./config/dev.secret.kdland edit as desired. Some options that are also nice to set in yourdev.secret.kdl:smtp-fromif you want to be able to login via the web interface (though you can also set this in the admin interface). Silverfish in development mode is configured to log email to stdout by default. You can also set this value in the admin dashboard later.
cargo run -- keygento createsession-key. Store the result indev.secret.kdl.just db-setupto create the database and migrate it.just devto start the server/watcher with all frontend stuff installed and built.- Visit https://localhost:4000 or wherever you configured your dev server to listen.
- (optional) To create a local admin account for testing run
cargo run -p silverfish admin create <email>and use the magic link in the output to visitlocalhost:4000/adminSeeJustfilefor other tasks to run.