-- csrf.lua

function csrf_generate()
	local token = generate_token(32)
	session_set("_csrf_token", token)
	return token
end

function csrf_field()
	local token = session_get("_csrf_token")
	if not token then
		token = csrf_generate()
	end
	return string.format('<input type="hidden" name="_csrf_token" value="%s" />',
		html_special_chars(token))
end

function csrf_validate()
	local token = __ctx.session and __ctx.session.data and __ctx.session.data["_csrf_token"]
	if not token then
		__response.status = 403
		coroutine.yield("__EXIT__")
	end

	local request_token = (__ctx._request_form and __ctx._request_form._csrf_token) or
	                     (__ctx._request_headers and (__ctx._request_headers["x-csrf-token"] or __ctx._request_headers["csrf-token"]))

	if not request_token or request_token ~= token then
		__response.status = 403
		coroutine.yield("__EXIT__")
	end
	return true
end