Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Websocket and time sensitive CSRF-token - how to update token in state #351

Closed
huima opened this issue Oct 24, 2019 · 2 comments
Closed

Websocket and time sensitive CSRF-token - how to update token in state #351

huima opened this issue Oct 24, 2019 · 2 comments
Labels
question/usage

Comments

@huima
Copy link

huima commented Oct 24, 2019
edited
Loading

Hi,

I am currently wondering a usecase where CSRF-token would be valid only for a limited time. This would become problematic in Sente websocket reconnects, as the same token is used as in the initial handshake.

First thought to my mind would be to solve this by passing new tokens inside the websocket connection as time goes by. As the connection was opened with a valid token, we should trust the user in the other end.

My current test code works as following:

  • I take chsk from make-channel-socket-client! and access state available in key :state_

  • whenever server pushes updated token to the client, I update the key :csrf-token in state with the new key

I tested also using chsk-reconnect and it seemed that the browser used the updated token as it should.
@eneroth
Copy link

eneroth commented Nov 3, 2021

I'm considering the same question for a different purpose: what happens if the server goes down? When it comes back up, it's going to issue a different CSRF token to the client (unless I somehow persist them, which seems sketchy and hard to do).

A more elegant solution might be for Sente to accept a function as well as a literal CSRF token. If it's a function, it'll evaluate it to get the literal CSRF token. That way, the token can be stored in, for example, the re-frame DB, and updated as needed.

@eneroth eneroth mentioned this issue Nov 3, 2021
Closed
@ptaoussanis
Copy link
Member

Closing since I'm merging @eneroth's PR in a moment. Thanks Henrik! Apologies for the slow response.

ptaoussanis pushed a commit that referenced this issue May 31, 2022
@eneroth @ptaoussanis
[#351 #393][New] Allow CSRF-token to be a function (@eneroth)
040048b 
- This modifies `make-channel-socket-client!`.
- When the function is evaluated, it's expected to return a CSRF-token.
- CSRF-token strings are still supported.
ptaoussanis pushed a commit that referenced this issue May 31, 2022
@eneroth @ptaoussanis
[#351 #393][New] Allow CSRF-token to be a function (@eneroth)
1e4fbaf 
- This modifies `make-channel-socket-client!`.
- When the function is evaluated, it's expected to return a CSRF-token.
- CSRF-token strings are still supported.
ptaoussanis pushed a commit that referenced this issue Jun 1, 2022
@eneroth @ptaoussanis
[#351 #393][New] Allow CSRF-token to be a function (@eneroth, @ptaous…
e0db17a 
…sanis)

- This modifies `make-channel-socket-client!`.
- When the function is evaluated, it's expected to return a CSRF-token.
- CSRF-token strings are still supported.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question/usage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ptaoussanis @eneroth @huima