[Feature Request] CSRF protection

[evandrodacs]

Hi,
great project!

I would like to make a feature request: implement CSRF protection on fullmoon

For this, it would be necessary to implement two functions: one to generate the token and another to validate it later.

Thanks!

[pkulchenko]

@evandrodacs, agree; I've been looking into that with the API that may look like this:

• token = makeCsrfToken([url,[tokenname]]) -- returns a token to be added to a template
  get the value from the current csrf session cookie; generate if necessary; use session secret if not specified
  url is to make the token to be per page instead of per session; pass true to make it per session? or rather pass nil to make it per session (default) and pass true to use the current path value?
• valid = checkCsrfToken([tokenname][,403]) -- get the value from cookie; compare with the field value, return 403 error
  should checkCsrfToken also accept the url value? if so, then the call is likely to be `checkCsrfToken([url,[tokenname]][,403])

[evandrodacs]

Hello, thank you for the quick response.

I always use CSRF tokens per session :)

For me, the two functions makeCsrfToken() and checkCsrfToken() without arguments solve my problem!

But you can make the argument optional, allowing true for the current path or a string URL.