csrf

package

v0.10.0 Latest Latest Go to latest Published: Oct 2, 2017 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gobuffalo/buffalo

Links

Open Source Insights

Documentation ¶

Index ¶

Variables

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// ErrNoReferer is returned when a HTTPS request provides an empty Referer
	// header.
	ErrNoReferer = errors.New("referer not supplied")
	// ErrBadReferer is returned when the scheme & host in the URL do not match
	// the supplied Referer header.
	ErrBadReferer = errors.New("referer invalid")
	// ErrNoToken is returned if no CSRF token is supplied in the request.
	ErrNoToken = errors.New("CSRF token not found in request")
	// ErrBadToken is returned if the CSRF token in the request does not match
	// the token in the session, or is otherwise malformed.
	ErrBadToken = errors.New("CSRF token invalid")
)

View Source

var Middleware = func(next buffalo.Handler) buffalo.Handler {
	warningMsg := "csrf.Middleware is deprecated, and will be removed in v0.10.0. Use csrf.New instead."
	_, file, no, ok := runtime.Caller(1)
	if ok {
		warningMsg = fmt.Sprintf("%s Called from %s:%d", warningMsg, file, no)
	}
	return New(next)
}

Middleware is deprecated, and will be removed in v0.10.0. Use csrf.New instead.

View Source

var New = func(next buffalo.Handler) buffalo.Handler {
	return func(c buffalo.Context) error {

		if envy.Get("GO_ENV", "development") == "test" {
			return next(c)
		}

		req := c.Request()

		ct := defaults.String(req.Header.Get("Content-Type"), req.Header.Get("Accept"))

		if ct != "" && !contains(htmlTypes, ct) {
			return next(c)
		}

		var realToken []byte
		rawRealToken := c.Session().Get(tokenKey)

		if rawRealToken == nil || len(rawRealToken.([]byte)) != tokenLength {

			realToken, err := generateRandomBytes(tokenLength)
			if err != nil {
				return err
			}

			c.Session().Set(tokenKey, realToken)
		} else {
			realToken = rawRealToken.([]byte)
		}

		c.Set(fieldName, mask(realToken, req))

		if !contains(safeMethods, req.Method) {

			if req.URL.Scheme == "https" {

				referer, err := url.Parse(req.Referer())
				if err != nil || referer.String() == "" {
					return ErrNoReferer
				}

				if !sameOrigin(req.URL, referer) {
					return ErrBadReferer
				}
			}

			requestToken := unmask(requestCSRFToken(req))

			if requestToken == nil {
				return ErrNoToken
			}

			if !compareTokens(requestToken, realToken) {
				return ErrBadToken
			}
		}

		return next(c)
	}
}

New enable CSRF protection on routes using this middleware. This middleware is adapted from gorilla/csrf

Functions ¶

This section is empty.

Types ¶

This section is empty.

Source Files ¶

View all Source files

csrf.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL