csrf

package
v2.50.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 16, 2023 License: MIT Imports: 14 Imported by: 61

Documentation

Index

Constants

View Source
const HeaderName = "X-Csrf-Token"

Variables

View Source
var (
	ErrTokenNotFound = errors.New("csrf token not found")
	ErrTokenInvalid  = errors.New("csrf token invalid")
	ErrNoReferer     = errors.New("referer not supplied")
	ErrBadReferer    = errors.New("referer invalid")
)
View Source
var (
	ErrMissingHeader = errors.New("missing csrf token in header")
	ErrMissingQuery  = errors.New("missing csrf token in query")
	ErrMissingParam  = errors.New("missing csrf token in param")
	ErrMissingForm   = errors.New("missing csrf token in form")
	ErrMissingCookie = errors.New("missing csrf token in cookie")
)
View Source
var ConfigDefault = Config{
	KeyLookup:         "header:" + HeaderName,
	CookieName:        "csrf_",
	CookieSameSite:    "Lax",
	Expiration:        1 * time.Hour,
	KeyGenerator:      utils.UUIDv4,
	ErrorHandler:      defaultErrorHandler,
	Extractor:         CsrfFromHeader(HeaderName),
	SessionKey:        "fiber.csrf.token",
	HandlerContextKey: "fiber.csrf.handler",
}

ConfigDefault is the default config

Functions

func CsrfFromCookie added in v2.37.0

func CsrfFromCookie(param string) func(c *fiber.Ctx) (string, error)

csrfFromCookie returns a function that extracts token from the cookie header.

func CsrfFromForm added in v2.37.0

func CsrfFromForm(param string) func(c *fiber.Ctx) (string, error)

csrfFromForm returns a function that extracts a token from a multipart-form.

func CsrfFromHeader added in v2.37.0

func CsrfFromHeader(param string) func(c *fiber.Ctx) (string, error)

csrfFromHeader returns a function that extracts token from the request header.

func CsrfFromParam added in v2.37.0

func CsrfFromParam(param string) func(c *fiber.Ctx) (string, error)

csrfFromParam returns a function that extracts token from the url param string.

func CsrfFromQuery added in v2.37.0

func CsrfFromQuery(param string) func(c *fiber.Ctx) (string, error)

csrfFromQuery returns a function that extracts token from the query string.

func New

func New(config ...Config) fiber.Handler

New creates a new middleware handler

Types

type CSRFHandler added in v2.50.0

type CSRFHandler struct {
	// contains filtered or unexported fields
}

func (*CSRFHandler) DeleteToken added in v2.50.0

func (handler *CSRFHandler) DeleteToken(c *fiber.Ctx) error

DeleteToken removes the token found in the context from the storage and expires the CSRF cookie

type Config

type Config struct {
	// Next defines a function to skip this middleware when returned true.
	//
	// Optional. Default: nil
	Next func(c *fiber.Ctx) bool

	// KeyLookup is a string in the form of "<source>:<key>" that is used
	// to create an Extractor that extracts the token from the request.
	// Possible values:
	// - "header:<name>"
	// - "query:<name>"
	// - "param:<name>"
	// - "form:<name>"
	// - "cookie:<name>"
	//
	// Ignored if an Extractor is explicitly set.
	//
	// Optional. Default: "header:X-CSRF-Token"
	KeyLookup string

	// Name of the session cookie. This cookie will store session key.
	// Optional. Default value "csrf_".
	// Overridden if KeyLookup == "cookie:<name>"
	CookieName string

	// Domain of the CSRF cookie.
	// Optional. Default value "".
	CookieDomain string

	// Path of the CSRF cookie.
	// Optional. Default value "".
	CookiePath string

	// Indicates if CSRF cookie is secure.
	// Optional. Default value false.
	CookieSecure bool

	// Indicates if CSRF cookie is HTTP only.
	// Optional. Default value false.
	CookieHTTPOnly bool

	// Value of SameSite cookie.
	// Optional. Default value "Lax".
	CookieSameSite string

	// Decides whether cookie should last for only the browser sesison.
	// Ignores Expiration if set to true
	CookieSessionOnly bool

	// Expiration is the duration before csrf token will expire
	//
	// Optional. Default: 1 * time.Hour
	Expiration time.Duration

	// SingleUseToken indicates if the CSRF token be destroyed
	// and a new one generated on each use.
	//
	// Optional. Default: false
	SingleUseToken bool

	// Store is used to store the state of the middleware
	//
	// Optional. Default: memory.New()
	// Ignored if Session is set.
	Storage fiber.Storage

	// Session is used to store the state of the middleware
	//
	// Optional. Default: nil
	// If set, the middleware will use the session store instead of the storage
	Session *session.Store

	// SessionKey is the key used to store the token in the session
	//
	// Default: "fiber.csrf.token"
	SessionKey string

	// Context key to store generated CSRF token into context.
	// If left empty, token will not be stored in context.
	//
	// Optional. Default: ""
	ContextKey string

	// KeyGenerator creates a new CSRF token
	//
	// Optional. Default: utils.UUID
	KeyGenerator func() string

	// Deprecated: Please use Expiration
	CookieExpires time.Duration

	// Deprecated: Please use Cookie* related fields
	Cookie *fiber.Cookie

	// Deprecated: Please use KeyLookup
	TokenLookup string

	// ErrorHandler is executed when an error is returned from fiber.Handler.
	//
	// Optional. Default: DefaultErrorHandler
	ErrorHandler fiber.ErrorHandler

	// Extractor returns the csrf token
	//
	// If set this will be used in place of an Extractor based on KeyLookup.
	//
	// Optional. Default will create an Extractor based on KeyLookup.
	Extractor func(c *fiber.Ctx) (string, error)

	// HandlerContextKey is used to store the CSRF Handler into context
	//
	// Default: "fiber.csrf.handler"
	HandlerContextKey string
}

Config defines the config for middleware.

type Token added in v2.50.0

type Token struct {
	Key        string    `json:"key"`
	Raw        []byte    `json:"raw"`
	Expiration time.Time `json:"expiration"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL