Blog

The 12 Modules of (ForgeBox) Christmas — Day 9 — verify-csrf-interceptor

12 Modules of (ForgeBox) Christmas, ColdBox MVC, CommandBox, ForgeBox, Modules
Eric Peterson December 22, 2017

Spread the word

Eric Peterson

December 22, 2017

Spread the word

Share your thoughts

Ortus Solutions
I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

/**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
    
    public void function configure() {}

    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }

        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }

        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }

        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }

    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );

        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );

        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );

        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }

        return false;
    }
    
}

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Recent Entries

Into the Box 2025 | Plan Your Trip With Us!

Into the Box 2025 | Plan Your Trip With Us!

Are you ready to join us for Into the Box 2025 from April 30th to May 2nd in Washington, D.C.? Let’s make your trip planning as smooth as possible. Here you’ll find Airfare discounts, Hotel Deals and fun things to do to the the best out of your trip to D.C.

Maria Jose Herrera
Maria Jose Herrera
January 30, 2025
BoxLang YAML Support has landed

BoxLang YAML Support has landed

We’re thrilled to introduce the bx-yaml module for BoxLang!

This powerful new module brings seamless YAML parsing and emitting capabilities to BoxLang. You can now effortlessly serialize BoxLang native types—including structs, queries, arrays, classes, and more—into YAML. The same simplicity applies to deserialization, making it easy to work with YAML data in your BoxLang applications.

Luis Majano
Luis Majano
January 28, 2025
TestBox v6.1.0 Release

TestBox v6.1.0 Release

We’re super excited to announce the release of TestBox 6.1.0! This release introduces native support for BoxLang without the need for a compatibility mode, unlocking new possibilities for developers embracing BoxLang’s dynamic capabilities. Alongside this exciting update, we’ve added valuable features, improved functionality, and resolved key issues to ensure a smoother and more robust testing experience. Dive into the details and see how TestBox 6.1.0 makes your testing even more seamless and efficient!

Luis Majano
Luis Majano
January 28, 2025