1
0
Fork
You've already forked silverfish
0
forked from conjured/silverfish
cutest lil ecommerce system you've ever seen
  • Rust 81.6%
  • HTML 8.7%
  • TypeScript 3%
  • Fluent 2.7%
  • CSS 1.9%
  • Other 2.1%
Kyle Lacy be6e7d44b5 Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 )
Fixes: conjured/silverfish#197
This PR replaces all of our existing [CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF) machinery ([`axum_csrf`](https://crates.io/crates/axum_csrf) plus our `silverfish-middleware-csrf` crate) with [`tower-sec-fetch`](https://crates.io/crates/tower-sec-fetch) instead.
The high-level idea is to avoid the classic approaches for CSRF protections (i.e. using cookies and/or random tokens), and to instead rely entirely (or almost entirely) on the [`Sec-Fetch-*`](https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header) family of request headers. For modern browsers, this protects against CSRF attacks just as well as the classic approaches, but is _much_ simpler to implement (and therefore leaves a lot less room for security vulnerabilities). For more reading, I found these articles really helpful, and used them to guide my implementation:
- https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
- https://words.filippo.io/csrf/
I used [`tower-sec-fetch`](https://github.com/MatteoJoliveau/tower-sec-fetch), which-- as the name implies-- gives us a `tower` layer to check the `Sec-Fetch-*` headers! But I ended up adding a custom [`SecFetchAuthorizer`](https://docs.rs/tower-sec-fetch/0.1.2/tower_sec_fetch/trait.SecFetchAuthorizer.html) too, to tweak the behavior:
- Reject `Sec-Fetch-Site: same-site` requests (redundant if this PR is merged upstream: https://github.com/MatteoJoliveau/tower-sec-fetch/pull/5)
- Check by origin as a fallback (if the `Origin` header is set but the `Sec-Fetch-Site` header is not)
Finally, I ripped out _all_ the old CSRF stuff, which was really satisfying! `axum_csrf` is gone, our custom `AuthenticForm` / `AuthenticMultipart` extractors are gone, the entire `silverfish-middleware-csrf` crate is gone, `csrf-salt` in the config is gone, all the CSRF token form inputs are gone.
Reviewed-on: conjured/silverfish#203
Reviewed-by: Kat Marchán <zkat@noreply.codeberg.org>
Co-authored-by: Kyle Lacy <kylelacy@kyle.space>
Co-committed-by: Kyle Lacy <kylelacy@kyle.space>
2026年01月07日 17:59:02 +01:00
.cargo Moving db stuff out into separate crates ( #116 ) 2025年10月13日 00:00:05 +02:00
.forgejo/workflows #150 : Add a musl release ( #183 ) 2025年12月18日 21:44:08 +01:00
config Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 ) 2026年01月07日 17:59:02 +01:00
contrib/systemd Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 ) 2026年01月07日 17:59:02 +01:00
crates Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 ) 2026年01月07日 17:59:02 +01:00
docker flatten silverfish-stall into a single top level silverfish again 2025年11月29日 09:41:22 -08:00
src Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 ) 2026年01月07日 17:59:02 +01:00
src-frontend set up some basic view and controller testing ( #184 ) 2026年01月04日 06:07:18 +01:00
stall-prototype Upload files to "stall-prototype" 2025年09月09日 00:10:38 +02:00
static flatten silverfish-stall into a single top level silverfish again 2025年11月29日 09:41:22 -08:00
.env login/auth/admin creation/etc ( #43 ) 2025年08月11日 04:47:56 +02:00
.gitignore #150 : Add a musl release ( #183 ) 2025年12月18日 21:44:08 +01:00
.rustfmt.toml initial commit 2025年08月01日 00:08:19 -07:00
askama.toml flatten silverfish-stall into a single top level silverfish again 2025年11月29日 09:41:22 -08:00
Cargo.lock Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 ) 2026年01月07日 17:59:02 +01:00
Cargo.toml Use tower-sec-fetch instead of axum_csrf for CSRF protection ( #203 ) 2026年01月07日 17:59:02 +01:00
flake.lock Add nix flake to repo ( #38 ) 2025年08月08日 04:34:48 +02:00
flake.nix Fix flake.nix, allow sourcing dependencies with git ( #100 ) 2025年09月27日 07:11:58 +02:00
i18n.toml flatten silverfish-stall into a single top level silverfish again 2025年11月29日 09:41:22 -08:00
Justfile set up some basic view and controller testing ( #184 ) 2026年01月04日 06:07:18 +01:00
LICENSE.md Rename license 2025年08月13日 19:52:25 +02:00
README.md doc: document setting smtp-from for dev setup ( #200 ) 2026年01月06日 19:17:28 +01:00
rust-toolchain.toml bump rust version ( #174 ) 2025年12月10日 17:27:19 +01:00

silverfish

new kid on the block

Requirements

  • Rust 1.91.1 or later w/ Cargo (use rustup)
  • Node.js 20 or later
  • (optional) watchexec
  • (optional) just: Can be installed with cargo install just

Getting Started

  1. (optional) Copy ./config/dev.secret.example.kdl to ./config/dev.secret.kdl and edit as desired. Some options that are also nice to set in your dev.secret.kdl:
    1. smtp-from if you want to be able to login via the web interface (though you can also set this in the admin interface). Silverfish in development mode is configured to log email to stdout by default. You can also set this value in the admin dashboard later.
  2. cargo run -- keygen to create session-key. Store the result in dev.secret.kdl.
  3. just db-setup to create the database and migrate it.
  4. just dev to start the server/watcher with all frontend stuff installed and built.
  5. Visit https://localhost:4000 or wherever you configured your dev server to listen.
  6. (optional) To create a local admin account for testing run cargo run -p silverfish admin create <email> and use the magic link in the output to visit localhost:4000/admin See Justfile for other tasks to run.