x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(auth): #331 add tests for sign out
All checks were successful
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 50s
Details
Build Docker Image / Build-Docker-Image (push) Successful in 46s
Details

Browse Source
This commit was merged in pull request #344.
This commit is contained in:
Tim Wundenberg
2024-12-22 23:40:09 +01:00
parent fb6cc0acda
commit 52cd85d904
7 changed files with 142 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
handler/middleware/cross_site_request_forgery.go
View File

@@ -5,6 +5,7 @@ import (
"net/http"
"strings"
"me-fit/log"
"me-fit/service"
"me-fit/types"
)
@@ -25,13 +26,11 @@ func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *ty
func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
dataStr := string(data)
if strings.Contains(dataStr, "</form>") {
csrfToken, err := rr.auth.GetCsrfToken(rr.session)
if err == nil {
csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
dataStr = strings.ReplaceAll(dataStr, "CSRF_TOKEN", csrfToken)
}
csrfToken, err := rr.auth.GetCsrfToken(rr.session)
if err == nil {
csrfInput := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s" />`, csrfToken)
dataStr = strings.ReplaceAll(dataStr, "</form>", csrfInput+"</form>")
dataStr = strings.ReplaceAll(dataStr, "CSRF_TOKEN", csrfToken)
}
return rr.ResponseWriter.Write([]byte(dataStr))
@@ -57,6 +56,7 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
csrfToken = r.Header.Get("csrf-token")
}
if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
log.Info("CSRF-Token not correct")
http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
return
}