Blog

The 12 Modules of (ForgeBox) Christmas — Day 9 — verify-csrf-interceptor

12 Modules of (ForgeBox) Christmas, ColdBox MVC, CommandBox, ForgeBox, Modules
Eric Peterson December 22, 2017

Spread the word

Eric Peterson

December 22, 2017

Spread the word

Share your thoughts

Ortus Solutions
I love modules that help me do the right thing in my code, especially when I often forget to do something. Today's module is very straight-forward — [verify-csrf-interceptor](https://www.forgebox.io/view/verify-csrf-interceptor) — an interceptor that will automatically check for CSRF tokens for all non-GET requests to help protect against [cross-site request forgery.](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

verify-csrf-interceptor

To mitigate CSRF attacks, CFML has two built-in methods to handle CSRF tokens — csrfGenerateToken and csrfVerifyToken. You should include a generate token in any form submission in your application and verify it in your handlers or controllers.

It's very easy to miss this, though, because you have to wire up both the token generation in the form and the token verification in the handler. This interceptor takes care of the token verification.

It's such a short function, let's take a look at it in its entirety here:

/**
* Verifies the CSRF token on all non-GET requests
*/
component extends="coldbox.system.Interceptor"{
    
    public void function configure() {}

    public void function preEvent( event, interceptData ) {
        if ( event.getHTTPMethod() == "GET" ) {
            return;
        }

        if ( actionMarkedToSkip( event, interceptData ) ) {
            return;
        }

        if ( ! event.valueExists( "_token" ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token was not included."
            );
        }

        if ( ! CSRFVerifyToken( event.getValue( "_token" ) ) ) {
            throw(
                type = "TokenMismatchException",
                message = "The CSRF token is invalid."
            );
        }
    }

    private boolean function actionMarkedToSkip(
        required event,
        required struct interceptData
    ) {
        var handler = getController()
            .getHandlerService()
            .getRegisteredHandler( interceptData.processedEvent );

        var md = getComponentMetadata(
            "#handler.getInvocationPath()#.#handler.getHandler()#"
        );

        var funcs = arrayFilter( md.functions, function( func ) {
            return func.name == handler.getMethod();
        } );

        if ( NOT arrayIsEmpty( funcs ) ) {
            if ( structKeyExists( funcs[1], "skipCSRFCheck" ) ) {
                return true;
            }
        }

        return false;
    }
    
}

Wrap Up

Protect yourself from simple omissions like forgetting to generate and verify CSRF tokens — install verify-csrf-interceptor today and it will start verifying for you with no further configuration. That's the power of ColdBox modules!

Add Your Comment

Recent Entries

Is Cloud the Answer for Your ColdFusion Dilemma?

Is Cloud the Answer for Your ColdFusion Dilemma?

Feeling the limits of an on-premise ColdFusion setup?

Many businesses face high costs, limited scalability, and performance bottlenecks, leaving them wondering if the cloud could be the answer.

In our FREE whitepaper, "Is Cloud the Answer for Your ColdFusion Dilemma?", we explore:

  • Benefits of Migrating to the Cloud: From cost savings to increased flexibility, find out what a cloud-based ColdFusion setup can do.
Cristobal Escobar
Cristobal Escobar
November 13, 2024
Mastering Events and Listeners in CBWIRE

Mastering Events and Listeners in CBWIRE

In CBWIRE, events and listeners are the backbone of building responsive, modular applications without relying heavily on JavaScript. This guide walks you through setting up and using CBWIRE events to create seamless interactions between components, from dispatching events in CFML and frontend templates to listening with Alpine.js and JavaScript. Learn how to make your applications feel dynamic and engaging by effortlessly connecting components. Whether you’re triggering events to update a dashboard or targeting specific parts of your app with dispatchTo, these techniques will empower you to create a modern, interactive CFML experience with ease.

Grant Copley
Grant Copley
November 11, 2024
10 Key Benefits of Hiring a Specialized ColdFusion Consulting Team

10 Key Benefits of Hiring a Specialized ColdFusion Consulting Team

ColdFusion remains a powerful and versatile platform for building dynamic web applications. However, keeping your ColdFusion environment optimized, secure, and scalable requires specialized expertise. Whether managing a long-standing ColdFusion application or planning new development projects, hiring a dedicated ColdFusion consulting and support team can be a game-changer for CTOs, CIOs, and developers. Here's why:

1. Expert Guidance on ColdFusion Web Development

...

Cristobal Escobar
Cristobal Escobar
November 08, 2024