haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,977 Commits 42 Branches 853 Tags 10 MiB
Haskell 99.6%
HTML 0.2%
Dockerfile 0.1%
a01051eaf6
Go to file
Maximilian Tagher a01051eaf6 Have the yesod-auth login form use a CSRF token 
Closes #1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
2016-02-14 17:32:46 -08:00
demo Added an example with email auth and an ses mailer 2015-12-05 20:21:38 -07:00
yesod Ghc710 conditional import and remove unused toUpper. 2015-08-26 14:22:12 +02:00
yesod-auth Have the yesod-auth login form use a CSRF token 2016-02-14 17:32:46 -08:00
yesod-auth-oauth GHC 7.10 support 2015-04-30 15:05:18 +03:00
yesod-bin tar 0.5 2016-01-10 17:23:06 +02:00
yesod-core Add _token parameter to redirectToPost #1151 2016-01-24 14:37:44 +02:00
yesod-eventsource Doc link updates 2014-12-21 15:23:52 +02:00
yesod-form Fix var name to croatianFormMessage 2016-01-20 09:47:28 +01:00
yesod-newsfeed Fuller docs + version bump 2016-02-02 08:59:01 -08:00
yesod-persistent Replace deprecated Connection type. 2015-08-26 15:26:35 +02:00
yesod-sitemap Doc link updates 2014-12-21 15:23:52 +02:00
yesod-static Version bump 2015-09-07 08:35:36 +03:00
yesod-test version bump for 1.5.0.1 2015-08-25 23:17:56 -07:00
yesod-websockets Bump yesod-websockets version. 2015-08-28 19:30:32 -05:00
.gitignore add a stack.yaml file 2015-06-07 21:41:18 -04:00
.travis.yml Better Travis caching 2016-01-21 14:15:24 +02:00
CODE_OF_CONDUCT.md CODE_OF_CONDUCT spacing and problem resolution 2015-10-07 06:18:03 -07:00
Dockerfile add a Dockerfile for haskell development 2015-05-27 11:43:16 -04:00
LICENSE Update license with MIT license 2012-04-29 09:38:45 +03:00
README Formatted README a bit 2009-07-14 20:52:09 +03:00
README.md Simplify README based on stack #1021 2015-07-05 15:24:39 +03:00
ReleaseNotes.md notes were out of date, seem to be maintained on wiki, noted such 2013-01-03 21:09:54 -08:00
sources.txt Version bumps for 1.4 release 2014-09-21 11:41:37 +03:00
stack.yaml Newer wai-app-static to fix build against nightly 2016-01-21 09:09:03 +02:00

README.md

Yesod Web Framework

An advanced web framework using the Haskell programming language. Featuring:

  • safety & security guaranteed at compile time
  • developer productivity: tools for all your basic web development needs
  • raw performance
    • fast, compiled code
    • techniques for constant-space memory consumption
  • asynchronous IO
    • this is built in to the Haskell programming language (like Erlang)

Learn more about Yesod on its main website. If you want to get started using Yesod, we strongly recommend the quick start guide, based on the Haskell build tool stack.

Hacking on Yesod

Yesod consists mostly of four repositories:

git clone --recursive http://github.com/yesodweb/shakespeare
git clone --recursive http://github.com/yesodweb/persistent
git clone --recursive http://github.com/yesodweb/wai
git clone --recursive http://github.com/yesodweb/yesod

Each repository can be built with stack build.