CSRF protection using HMAC-signed state tokens (RFC 5869, RFC 2104)
ocaml-csrf: enable MDX on lib/csrf.mli, fix broken doc example
Run mdx on lib/csrf.mli so the {[ ... ]} odoc block now type-checks.
The example called an undefined `generate_random_state ()`,
referenced `signed_state` (a free name -- the bound name was
`signed`), and had `(* Valid - proceed with OAuth flow *)` /
`(* Invalid - reject request *)` comments standing in for branch
bodies, which leaves the match expression syntactically invalid.
Replaced with a concrete state literal, the bound `signed` value
threaded into verify_state, and `assert (String.equal s state)`
documenting the round-trip claim instead of a placeholder comment.
+12
-8
+8
-8
lib/csrf.mli
+8
-8
lib/csrf.mli
···
14
14
{2 Usage Example}
15
15
16
16
{[
17
-
(* Generate and sign state for OAuth request *)
18
-
let state = generate_random_state () in
19
-
let signed = Csrf.sign_state ~secret:"my-secret" state in
20
-
(* signed = "abc123...fed.deadbeef..." *)
17
+
(* Generate and sign state for an OAuth request. *)
18
+
let state = "random-state-12345"
19
+
let signed = Csrf.sign_state ~secret:"my-secret" state
21
20
22
-
(* Later, verify state from OAuth callback *)
23
-
match Csrf.verify_state ~secret:"my-secret" signed_state with
24
-
| Some state -> (* Valid - proceed with OAuth flow *)
25
-
| None -> (* Invalid - reject request *)
21
+
(* Later, verify state from the OAuth callback. *)
22
+
let () =
23
+
match Csrf.verify_state ~secret:"my-secret" signed with
24
+
| Some s -> assert (String.equal s state)
25
+
| None -> failwith "invalid state"
26
26
]}
27
27
28
28
{2 References}