feat(security): #286 implement csrf middleware

2024-12-04 23:15:40 +01:00
parent bbcdbf7a01
commit 57989c9b03
18 changed files with 484 additions and 204 deletions
--- a/handler/middleware/authenticate.go
+++ b/handler/middleware/authenticate.go
@@ -0,0 +1,47 @@
+package middleware
+
+import (
+	"context"
+	"me-fit/service"
+
+	"net/http"
+)
+
+type ContextKey string
+
+var SessionKey ContextKey = "session"
+
+func Authenticate(service service.Auth) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			sessionId := getSessionID(r)
+			session, _ := service.SignInSession(sessionId)
+
+			if session != nil {
+				ctx := context.WithValue(r.Context(), SessionKey, session)
+
+				next.ServeHTTP(w, r.WithContext(ctx))
+			} else {
+				next.ServeHTTP(w, r)
+			}
+		})
+	}
+}
+
+func GetSession(r *http.Request) *service.Session {
+	obj := r.Context().Value(SessionKey)
+	if obj == nil {
+		return nil
+	}
+
+	return obj.(*service.Session)
+}
+
+func getSessionID(r *http.Request) string {
+	cookie, err := r.Cookie("id")
+	if err != nil {
+		return ""
+	}
+
+	return cookie.Name
+}
--- a/handler/middleware/cross_site_request_forgery.go
+++ b/handler/middleware/cross_site_request_forgery.go
@@ -0,0 +1,63 @@
+package middleware
+
+import (
+	"fmt"
+	"me-fit/service"
+	"strings"
+
+	"net/http"
+)
+
+type csrfResponseWriter struct {
+	http.ResponseWriter
+	auth    service.Auth
+	session *service.Session
+}
+
+func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *service.Session) *csrfResponseWriter {
+	return &csrfResponseWriter{
+		ResponseWriter: w,
+		auth:           auth,
+		session:        session,
+	}
+}
+
+
+TODO: Create session for CSRF token
+
+func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
+	dataStr := string(data)
+	if strings.Contains(dataStr, "</form>") {
+		csrfToken, err := rr.auth.GetCsrfToken(rr.session)
+		if err == nil {
+			csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
+			dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
+		}
+	}
+
+	return rr.ResponseWriter.Write([]byte(dataStr))
+}
+
+func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+			session := GetSession(r)
+
+			if r.Method == http.MethodPost ||
+				r.Method == http.MethodPut ||
+				r.Method == http.MethodDelete ||
+				r.Method == http.MethodPatch {
+
+				csrfToken := r.FormValue("csrf-token")
+				if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
+					http.Error(w, "", http.StatusForbidden)
+					return
+				}
+			}
+
+			responseWriter := newCsrfResponseWriter(w, auth, session)
+			next.ServeHTTP(responseWriter, r)
+		})
+	}
+}