Csrf token?

[romanoff]

What do you think about idea of adding tools here to manage csrf tokens?

Here are functions I think could be useful:

1. Extract csrf token from session
2. Generate masked csrf token (something like http://apidock.com/rails/ActionController/RequestForgeryProtection/masked_authenticity_token)
3. Check if submitted masked csrf token corresponds to csrf token stored in session
4. Generate new csrf token (maybe if session doesn't have one)

Would you accept pull request with package that implements some of the functions listed above?

[andrewslotin]

@romanoff, sounds interesting. My intention for this library was to pass e.g. devise authenticated user to Go backend. What is the use of passing CSRF token to the Go app?

[romanoff]

Let's say you want to render some slow pages in go (not with rails). If that page has some form (or maybe it has some dialog that submits post form), then you need csrf token (if endpoint form will be submitted to is still handled by rails). And the one that you actually need is masked_authenticity_token (it changes all the time). Also more complicated scenario could be if this page is the first page user landed on. In this case you will not only need masked_authenticity_token, but you will also need to generate and write csrf_token into a session.

[andrewslotin]

Sounds reasonable, please feel free to open a pull request.