[FEATURE] CSRF Token Encoding and Decoding in Base64 URI Safe Format

[Sang-Hyuk]

Is there an existing feature request for this?

• I have searched the existing feature requests

Is your feature request related to a problem? Please describe.

Can we encode and decode CSRF tokens in a URL-safe Base64 format for use as the state parameter in OAuth authentication?

Looking at the library, CSRF tokens consistently appear to follow the base64.StdEncoding format.

// requestToken returns the issued token (pad + masked token) from the HTTP POST
// body or HTTP header. It will return nil if the token fails to decode.
func (cs *csrf) requestToken(r *http.Request) ([]byte, error) {
    // 1. Check the HTTP header first.
    issued := r.Header.Get(cs.opts.RequestHeader)

    // 2. Fall back to the POST (form) value.
    if issued == "" {
        issued = r.PostFormValue(cs.opts.FieldName)
    }

    // 3. Finally, fall back to the multipart form (if set).
    if issued == "" && r.MultipartForm != nil {
        vals := r.MultipartForm.Value[cs.opts.FieldName]

        if len(vals) > 0 {
            issued = vals[0]
        }
    }

    // Return nil (equivalent to empty byte slice) if no token was found
    if issued == "" {
        return nil, nil
    }

    // Decode the "issued" (pad + masked) token sent in the request. Return a
    // nil byte slice on a decoding error (this will fail upstream).
    decoded, err := base64.StdEncoding.DecodeString(issued)
    if err != nil {
        return nil, err
    }

    return decoded, nil
}

Describe the solution that you would like.

I would like to have an option that supports URL-safe Base64 Encoding and Decoding for CSRF tokens.

Describe alternatives you have considered.

No response

Anything else?

No response