Jason McNeil
|
b50d91d58e
|
Merge pull request from GHSA-94w9-97p3-p368
* feat: improved csrf with session support
* fix: double submit cookie
* feat: add warning cookie extractor without session
* feat: add warning CsrfFromCookie SameSite
* fix: use byes.Equal instead
* fix: Overriden CookieName KeyLookup cookie:<name>
* feat: Create helpers.go
* feat: use compareTokens (constant time compare)
* feat: validate cookie to prevent token injection
* refactor: clean up csrf.go
* docs: update comment about Double Submit Cookie
* docs: update docs for CSRF changes
* feat: add DeleteToken
* refactor: no else
* test: add more tests
* refactor: re-order tests
* docs: update safe methods RCF add note
* test: add CSRF_Cookie_Injection_Exploit
* feat: add SingleUseToken config
* test: check for new token
* docs: use warning
* fix: always register type Token
* feat: use UUIDv4
* test: swap in UUIDv4 here too
|
2023-10-11 14:41:42 +02:00 |
René Werner