veyron/services/identity: Adding CSRF protection to revocation interface in
identity server.
* Tokens are embedded into JS on page load.
* Server validates that token against the request's cookie.
* Server also checks that token matches one of the caveatIDs that the user can
revoke based on a map that is stored in memory.
Future:
* Consider a timeout on entries in the DirectoryStore.
* Ensure that tokens are refreshed frequently enough to ensure that this works.
Change-Id: If7ca60ed9cd2695592cf575657fe406dc29bbf7c
7 files changed
