csrf function

Middleware csrf({
  1. String headerName = 'X-CSRF-Token',
  2. String cookieName = 'csrf_token',
})

CSRF protection middleware

Validates that state-changing requests (POST, PUT, DELETE, PATCH) include a matching CSRF token in the header. GET/HEAD/OPTIONS are always allowed.

Implementation

Middleware csrf({String headerName = 'X-CSRF-Token', String cookieName = 'csrf_token'}) {
  return (Handler innerHandler) {
    return (Request request) async {
      final safeMethods = {'GET', 'HEAD', 'OPTIONS'};
      if (safeMethods.contains(request.method)) {
        return innerHandler(request);
      }

      final cookieHeader = request.headers['cookie'] ?? '';
      final cookies = _parseCookies(cookieHeader);
      final cookieToken = cookies[cookieName];
      final headerToken = request.headers[headerName.toLowerCase()];

      if (cookieToken == null || cookieToken.isEmpty ||
          headerToken == null || headerToken != cookieToken) {
        return Response.forbidden(
          jsonEncode({'error': 'CSRF token mismatch'}),
          headers: {'Content-Type': 'application/json'},
        );
      }

      return innerHandler(request);
    };
  };
}