// the provided token is expected to be Base64-encoded version of SHA256 of session token
var tokenId = request.headers("X-CSRF-Token");
var providedToken = Base64Url.decode(tokenId);
var computedToken = sha256(session.id());
if (!MessageDigest.isEqual(providedToken, computedToken)) {
// somebody is trying to forge the token?
return Optional.empty();
}
// here's the code to compute sha256
MessageDigest.getInstance("sha256").digest(tokenId.getBytes(StandardCharsets.UTF_8));