csrf

package

v0.0.0-...-891d2fd Latest Latest Go to latest Published: Feb 18, 2022 License: BSD-3-Clause, BSD-3-Clause Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/atdiar/xhttp

Links

Open Source Insights

README ¶

csrf

This package implements a request handler for incoming http requests. It creates a browser session on the client side which provides a token that should protect against Cross-Site Request Forgery (CSRF).

Instantiation

An anti-CSRF request Handler relies upon a backing session-creating request handler. The Cookie field holds the configuration options for the anti-CSRF session cookie.


type Handler struct {
	Cookie  http.Cookie // anti-csrf cookie sent to client.
	Session session.Handler
	strict  bool // if true, a request is only valid if the xsrf Header is present.
	next    xhttp.Handler
}

The name of the anti-CSRF cookie should be different from the one used by the backing session. Indeed the session is simply used for its server-side session data storage.

User-Interface

LaxMode

LaxMode() is a method that disables the requirements to set an anti-CSRF header. This is less secure as the protection now relies entirely on double-checking the anti-CSRF cookie value.

Anti-CSRF value retrieval

The anti-CSRF value is stored in the context datastore during inflight request handling. It can be retrieved via the TokenFromCtx() method. This is useful for server-side rendering of html templates.

Dependencies

This package depends on:

License

BSD 3-clause

Documentation ¶

Overview ¶

Package csrf implements a request handler which generates a token to protect against Cross-Site Request Forgery.

Index ¶

Constants
Variables
type Handler
- func NewHandler(name string, secret string, options ...func(Handler) Handler) Handler

Constants ¶

View Source

const (
	TokenInvalid  = "Forbidden. anti-CSRF Token/header missing or invalid"
	HeaderMissing = "Anti CSRF header is missing"
)

Variables ¶

View Source

var (
	ErrInvalidSession = errors.New("Session does not exist ?")
)

Functions ¶

This section is empty.

Types ¶

type Handler ¶

type Handler struct {
	Header  string // Name of the anti-csrf request header to check
	Session session.Handler
	// contains filtered or unexported fields
}

Handler is a special type of request handler that creates a token value used to protect against Cross-Site Request Forgery vulnerabilities.

func NewHandler ¶

func NewHandler(name string, secret string, options ...func(Handler) Handler) Handler

NewHandler builds a new anti-CSRF request handler, creating a full session object.

func (Handler) CtxToken ¶

func (h Handler) CtxToken(ctx context.Context) (string, error)

CtxToken returns the encoded session value of a csrf token.

func (Handler) Link ¶

func (h Handler) Link(hn xhttp.Handler) xhttp.HandlerLinker

Link enables the linking of a xhttp.Handler to the anti-CSRF request Handler.

func (Handler) ServeHTTP ¶

func (h Handler) ServeHTTP(res http.ResponseWriter, req *http.Request)

ServeHTTP handles the servicing of incoming http requests.

Source Files ¶

View all Source files

csrf.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL