middleware method
Middleware
middleware()
Creates the CSRF middleware
Implementation
Middleware middleware() {
return (Handler handler) {
return (Request request) async {
// Safe methods don't need CSRF protection
if (safeMethods.contains(request.method.toUpperCase())) {
final response = await handler(request);
// Generate token for safe requests
final token = _generateToken();
// Add token to cookie for subsequent requests
return response.change(headers: {
'Set-Cookie': '$cookieName=$token; Path=/; SameSite=Strict; HttpOnly',
});
}
// Validate CSRF token for unsafe methods
final headerToken = request.headers[tokenName.toLowerCase()] ??
request.headers[tokenName];
final cookieToken = _extractTokenFromCookie(request.headers['cookie']);
if (headerToken == null || cookieToken == null) {
return Response.forbidden(
json.encode({'error': 'CSRF token missing'}),
headers: {'Content-Type': 'application/json'},
);
}
if (headerToken != cookieToken) {
return Response.forbidden(
json.encode({'error': 'CSRF token mismatch'}),
headers: {'Content-Type': 'application/json'},
);
}
if (!_validateToken(headerToken)) {
return Response.forbidden(
json.encode({'error': 'Invalid or expired CSRF token'}),
headers: {'Content-Type': 'application/json'},
);
}
// Token is valid, process request
final response = await handler(request);
// Rotate token after successful request
final newToken = _generateToken();
return response.change(headers: {
'Set-Cookie': '$cookieName=$newToken; Path=/; SameSite=Strict; HttpOnly',
});
};
};
}