Skip to content

feat: add CSRF protection plugin#360

Open
Taure wants to merge 5 commits intomasterfrom
feat/csrf-protection
Open

feat: add CSRF protection plugin#360
Taure wants to merge 5 commits intomasterfrom
feat/csrf-protection

Conversation

@Taure
Copy link
Collaborator

@Taure Taure commented Feb 12, 2026

Summary

  • Add nova_csrf_plugin — CSRF protection using the synchronizer token pattern (generate random token per session, validate on POST/PUT/PATCH/DELETE)
  • Fix first-request session availability — nova_stream_h now injects the new session ID into the Req map so nova_session can use it immediately, instead of waiting for the cookie round-trip
  • Inject csrf_token into template variables in nova_basic_handler:handle_view/4 so templates can use {{ csrf_token }}

Details

Plugin options:

  • field_name — form field name (default _csrf_token)
  • header_name — header name (default x-csrf-token)
  • session_key — session storage key (default _csrf_token)
  • excluded_paths — list of path prefixes to skip

Token lookup order: x-csrf-token header first, then _csrf_token in parsed form params. Uses crypto:hash_equals/2 for constant-time comparison.

Requires nova_request_plugin to run before nova_csrf_plugin so form params are parsed.

Test plan

  • Token generation (binary, correct length, unique)
  • Constant-time comparison (equal, different, different length, undefined)
  • Safe method detection (GET/HEAD/OPTIONS safe; POST/PUT/PATCH/DELETE unsafe)
  • Path exclusion (prefix match, no match, empty list)
  • Submitted token extraction (from header, from params, header priority, missing)
  • Integration tests with meck for full pre_request/4 flow
  • 42 tests pass, dialyzer clean

🤖 Generated with Claude Code

Taure and others added 4 commits February 12, 2026 21:57
@Taure @claude
feat: add CSRF protection plugin
dd0d1b2 
Add nova_csrf_plugin using the synchronizer token pattern — generates a
random token per session, stores it server-side, and validates it on
state-changing requests (POST/PUT/PATCH/DELETE).

Also fixes a session limitation where nova_session couldn't read the
session ID on the very first request because nova_stream_h only set it
as a response cookie. Now the session ID is also injected into the Req
map so it's immediately available to the plugin pipeline.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Taure @claude
test: add tests for csrf token injection and session fallback
95d688c 
- nova_basic_handler_test: 8 tests for maybe_inject_csrf_token/2
  (proplist, map, empty, no token in req)
- nova_session_test: 6 tests for nova_session_id Req map fallback
  (get/set via Req key, cookie fallback, priority over cookie,
  error when no session)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Taure @claude
fix: export reply/0 type from nova_plugin to fix dialyzer
e0f4018 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Taure @claude
chore: merge master and resolve rebar.config conflict
8d2a282 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Taure Taure requested a review from burbas February 12, 2026 21:41
@Taure @claude
ci: add buildExpected and testingExpected conclusion jobs
b435783 
These required status checks were configured in branch protection
but never reported by the workflow, blocking all PR merges.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@burbas burbas Awaiting requested review from burbas

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Taure