64 lines
1.5 KiB
Go
64 lines
1.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"fmt"
|
|
"me-fit/service"
|
|
"strings"
|
|
|
|
"net/http"
|
|
)
|
|
|
|
type csrfResponseWriter struct {
|
|
http.ResponseWriter
|
|
auth service.Auth
|
|
session *service.Session
|
|
}
|
|
|
|
func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *service.Session) *csrfResponseWriter {
|
|
return &csrfResponseWriter{
|
|
ResponseWriter: w,
|
|
auth: auth,
|
|
session: session,
|
|
}
|
|
}
|
|
|
|
|
|
TODO: Create session for CSRF token
|
|
|
|
func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
|
|
dataStr := string(data)
|
|
if strings.Contains(dataStr, "</form>") {
|
|
csrfToken, err := rr.auth.GetCsrfToken(rr.session)
|
|
if err == nil {
|
|
csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
|
|
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
|
|
}
|
|
}
|
|
|
|
return rr.ResponseWriter.Write([]byte(dataStr))
|
|
}
|
|
|
|
func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
session := GetSession(r)
|
|
|
|
if r.Method == http.MethodPost ||
|
|
r.Method == http.MethodPut ||
|
|
r.Method == http.MethodDelete ||
|
|
r.Method == http.MethodPatch {
|
|
|
|
csrfToken := r.FormValue("csrf-token")
|
|
if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
|
|
http.Error(w, "", http.StatusForbidden)
|
|
return
|
|
}
|
|
}
|
|
|
|
responseWriter := newCsrfResponseWriter(w, auth, session)
|
|
next.ServeHTTP(responseWriter, r)
|
|
})
|
|
}
|
|
}
|