csrf

package module
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2022 License: MIT Imports: 9 Imported by: 98

README

mw-csrf

GoDoc

Requirements
  • Go 1.16+ but 1.17 and 1.18 are officially supported
  • Go Modules
Installation
$ go get github.com/gobuffalo/mw-csrf

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// ErrNoReferer is returned when a HTTPS request provides an empty Referer
	// header.
	ErrNoReferer = errors.New("referer not supplied")
	// ErrBadReferer is returned when the scheme & host in the URL do not match
	// the supplied Referer header.
	ErrBadReferer = errors.New("referer invalid")
	// ErrNoToken is returned if no CSRF token is supplied in the request.
	ErrNoToken = errors.New("CSRF token not found in request")
	// ErrBadToken is returned if the CSRF token in the request does not match
	// the token in the session, or is otherwise malformed.
	ErrBadToken = errors.New("CSRF token invalid")
)
View Source
var New = func(next buffalo.Handler) buffalo.Handler {
	return func(c buffalo.Context) error {

		if envy.Get("GO_ENV", "development") == "test" {
			c.Set(tokenKey, "test")
			return next(c)
		}

		req := c.Request()

		ct := req.Header.Get("Content-Type")
		if len(ct) == 0 {
			ct = req.Header.Get("Accept")
		}

		if ct != "" && !contains(htmlTypes, ct) {
			return next(c)
		}

		var realToken []byte
		var err error
		rawRealToken := c.Session().Get(tokenKey)

		if rawRealToken == nil || len(rawRealToken.([]byte)) != tokenLength {

			realToken, err = generateRandomBytes(tokenLength)
			if err != nil {
				return err
			}

			c.Session().Set(tokenKey, realToken)
		} else {
			realToken = rawRealToken.([]byte)
		}

		c.Set(fieldName, mask(realToken, req))

		if !contains(safeMethods, req.Method) {

			if req.URL.Scheme == "https" {

				referer, err := url.Parse(req.Referer())
				if err != nil || referer.String() == "" {
					return ErrNoReferer
				}

				if !sameOrigin(req.URL, referer) {
					return ErrBadReferer
				}
			}

			requestToken := unmask(requestCSRFToken(req))

			if requestToken == nil {
				return ErrNoToken
			}

			if !compareTokens(requestToken, realToken) {
				return ErrBadToken
			}
		}

		return next(c)
	}
}

New enable CSRF protection on routes using this middleware. This middleware is adapted from gorilla/csrf

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL